W3C home > Mailing lists > Public > public-fx@w3.org > April to June 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 1 Jun 2013 08:52:34 +0100
Message-ID: <CADnb78iFwWKQyzDkrj-1v37XsjkNc0aMYpp8JQASnptMVuMuOw@mail.gmail.com>
To: Dirk Schulze <dschulze@adobe.com>
Cc: "robert@ocallahan.org" <robert@ocallahan.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>, Philip Rogers <pdr@google.com>
On Thu, May 30, 2013 at 3:32 PM, Dirk Schulze <dschulze@adobe.com> wrote:
> As far as I know CSS stylesheets do not follow strict cross origin restrictions. Why would SVG resources need to do it?

Note that not having those restrictions has led to various serious
security issues over the years. If we can make these fetches always
use the CORS mode that should be done.


--
http://annevankesteren.nl/
Received on Saturday, 1 June 2013 07:53:01 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 1 June 2013 07:53:03 UTC