W3C home > Mailing lists > Public > public-fx@w3.org > April to June 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 5 Apr 2013 19:34:26 +0100
Message-ID: <CADnb78iT0e-_HzrTae40MBiYYD4H1X1ogKgFa9oLs+xtkPTQvw@mail.gmail.com>
To: Dirk Schulze <dschulze@adobe.com>
Cc: "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Apr 5, 2013 at 7:26 PM, Dirk Schulze <dschulze@adobe.com> wrote:
> On Apr 5, 2013, at 2:56 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> The drafts are referencing CORS instead, which seems more appropriate
>> for what is going on. We are protecting the resource that is being
>> loaded right, not the page itself?
>
> It is the same as JavaScript from a different origin.

No it's not.


> The problem is that a document can reference resources:
>
> <mask id="mask">…</mask>
> <p class="mask: url(#mask)">...</p>
>
> The resources can be from a different origin. Since the resources affect the visual output, the same security restrictions as for JavaScript should apply. That is what Firefox does.
>
> Do you think that this is covered by CORS already?

No.

For each external resource you load you need to track whether it gets
marked as CORS cross-origin or not. The mechanics for fetching are not
entirely in place yet, but http://fetch.spec.whatwg.org/ is the start.
If any resource is CORS cross-origin it's tainted. Then you probably
want a way to opt into cross-origin fetching using CORS so a resource
that is cross-origin can be marked CORS same-origin. That requires
changes to the pieces that initiate the fetching, e.g. url() above.

(I explained this before in a SVG WG meeting at Adobe in Seattle.)


--
http://annevankesteren.nl/
Received on Friday, 5 April 2013 18:34:58 UTC

This archive was generated by hypermail 2.3.1 : Friday, 5 April 2013 18:34:58 UTC