Re: [filter-effects][css-masking] Move security model for resources to CSP from Dirk Schulze on 2013-04-08 (public-fx@w3.org from April to June 2013)

From: Dirk Schulze <dschulze@adobe.com>
Date: Mon, 8 Apr 2013 07:50:03 -0700
To: Anne van Kesteren <annevk@annevk.nl>
CC: Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <167FE01B-81A8-40B5-8EEF-B3BA91A8583F@adobe.com>

Sent from my iPhone

On Apr 8, 2013, at 7:40 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

> On Mon, Apr 8, 2013 at 3:33 PM, Dirk Schulze <dschulze@adobe.com> wrote:
>> On Apr 8, 2013, at 7:28 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>>> On Sat, Apr 6, 2013 at 10:02 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
>>> Even so that would still mean CSS will have this fragment identifier
>>> presence determines processing behavior bug. Clearly a new syntax
>>> should have been used for masks, e.g. mask(url)...
>> 
>> We try to solve problems, not to create new.
> 
> But this is a problem and it is new.
> 
> 
>> CSS Masking combines the existing mask syntax of SVG (with url()) with the existing prefixed mask-image/mask syntax in WebKit (and now Blink) based browsers. A simple way would be to download the resource and check the type then and proceed depending on the data type. Firefox people asked for a solution to verify on interpreting the property value / URI during parsing.
> 
> That WebKit landed a security bug sounds like the source of the
> problem here. Does WebKit not consider this a security bug? (And that
> we suggested that particular solution, ewww.)

WebKit supports CSS Masking and SVG Masking, both with the mask property, just that the one for CSS Masking is prefixed. CSS Masking does not support SVG Masking yet and the other way around. There is no security bug, nor will there be one with the suggested interpretation of url(). I do not even see how it would harm the web platform today nor in the future. It just affects the url() function allowing us to combine SVG and CSS in a lot more places then just Masking. It allows a lot more possibilities on all CSS properties like taking SVG gradients and patterns as input on the background and border property. It allows fill and stroke properties to take CSS image values (which the SVG WG resolved already). It allows CSS exclusions to reference SVG shapes and CSS images.

At the end I think it does not harm the web, it extends the possibilities.

Greetings
Dirk 

> 
> 
> --
> http://annevankesteren.nl/

Received on Monday, 8 April 2013 14:50:47 UTC