Re: [filter-effects][css-masking] Move security model for resources to CSP from Robert O'Callahan on 2013-05-30 (public-fx@w3.org from April to June 2013)

From: Robert O'Callahan <robert@ocallahan.org>
Date: Fri, 31 May 2013 02:05:51 +1200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Dirk Schulze <dschulze@adobe.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>, Philip Rogers <pdr@google.com>
Message-ID: <CAOp6jLb6E982CLhhVoSCjpcvwoouS2og79A82XhSN-pvTLOtyw@mail.gmail.com>

On Fri, May 31, 2013 at 1:52 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, May 30, 2013 at 2:34 PM, Robert O'Callahan <robert@ocallahan.org>
> wrote:
> > OK then, I think we'd have to use a regular non-CORS request and apply
> > strict same-origin checking at time of use.
>
> And on redirects? There's a same-origin mode for that. You could make
> that CORS as well though if that's the default anyway.
>
>
> > We could however mint a "cors-url(...)" CSS image value which does a CORS
> > fetch and completely fails for cross-origin loads.
>
> You want to succeed for cross-origin fetches if they opt into CORS,
> no? But I'm not sure cors-url() is needed. It's only needed if the
> default is tainted cross-origin fetches.
>

That's what images currently do, so I think that needs to be the default.

Rob
-- 
q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq
qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq
qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq
qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q
qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq
qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"

Received on Thursday, 30 May 2013 14:06:24 UTC