Anne van Kesteren

From-Origin Response Header

When I argued for Web Platform Consistency with regards to resource loading I suggested that to prevent resources from being embedded cross-origin a From-Origin response header could be introduced. This proposal was inspired by part of the font community that seems really concerned with cross-origin embedding. It would however work for more than just fonts. Authors often wish to not share their images with other sites and a proprietary X-Frame-Options header was introduced to prevent pages from being embedded in frames.

Currently some authors check the Referer (sic) request header and based on its value either show the desired image or an image that tells people not to embed their images. This however is not a robust method as the Referer header is not included for every request (e.g. from secure to insecure) and is also sometimes disabled by antivirus software. It also affects direct linking rather than just embedding.

In contrast the From-Origin header would be bundled with the response and the user agent would make a decision based on its value. If an image located at has From-Origin: same specified and it is embedded on a page located at http://elsewhere.invalid/page the user agent would terminate the connection as soon as it sees the From-Origin header. Embedding that image on would of course work fine. To allow embedding on only specific places, e.g. because the embedded content is located at a content distribution network the value could also be an origin. For instance From-Origin:, to allow embedding of the resource only on the origin. If no From-Origin header is used, embedding will work as it does today. I.e. without restrictions. Similarly access to the raw data (e.g. from an image or font) remains prohibited.

By adopting a proposal similar to this one we can keep the resource loading policies consistent throughout the web platform. In addition we will be able to address the problems authors face with cross-origin embedding of resources in the same way.