W3C home > Mailing lists > Public > public-fx@w3.org > April to June 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 6 Apr 2013 18:20:36 +0100
Message-ID: <CADnb78ihszG4NrvZ1E1L-GSnaZymLmeUdh9KDfUnGhp8SpTKXA@mail.gmail.com>
To: Dirk Schulze <dschulze@adobe.com>
Cc: "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Apr 6, 2013 at 5:16 PM, Dirk Schulze <dschulze@adobe.com> wrote:
> I mean mask-image: url(…);. In CSS Masking the URI could be an CSS Image or a reference to a resource. Accepted resources are just <mask> elements and the URI must have an fragment identifier for the previously named property. The existence of a fragment identifier decides if we have strict rules, or use the same rules as for images (which do not have restrictions to the origin).

That sounds fucked up. Deciding the fetching policy based on the
presence of a fragment identifier in the URL is a severe layering
violation. What if we introduce a fragment identifier to crop an
image?


> How can scripts change that?

(I thought we were talking about a related problem. Whether SVG taints
<canvas> or not.)


> For images, there are no restrictions on resources at all.

Well in terms of fetching and in terms of what you can do e.g. with
the image on <canvas> there's definitely tainting going on. You may of
course decide to ignore the tainting if the operation is "safe" (like
showing the image to the user).


--
http://annevankesteren.nl/
Received on Saturday, 6 April 2013 17:21:05 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 6 April 2013 17:21:05 UTC