Re: [filter-effects][css-masking] Move security model for resources to CSP from Daniel Holbert on 2013-04-09 (public-webappsec@w3.org from April 2013)

From: Daniel Holbert <dholbert@mozilla.com>
Date: Tue, 09 Apr 2013 09:32:26 -0700
To: Dirk Schulze <dschulze@adobe.com>, Anne van Kesteren <annevk@annevk.nl>
CC: "robert@ocallahan.org" <robert@ocallahan.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <5164429A.8090205@mozilla.com>

On 04/09/2013 06:51 AM, Dirk Schulze wrote:
> 
> On Apr 9, 2013, at 6:49 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> I suggest reading carefully through the bug Robert referenced and my
>> analyses in response. We discussed exactly this.
> 
> Great! To be honest it is a bit hard to follow.

(The relevant comments on the bug are comment 0 and comment 3. Comment 0
includes some attack scenarios, including one along the lines of your
Twitter avatar example, and Comment 3 mentions that same-origin
restrictions won't help, given that many sites have open redirectors
hosted at a same-origin URL.)

~Daniel

Received on Tuesday, 9 April 2013 16:32:54 UTC