W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sun, 02 Jun 2013 09:36:54 -0400
Message-ID: <51AB4A76.6070106@mit.edu>
To: Dirk Schulze <dschulze@adobe.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 6/2/13 12:20 AM, Dirk Schulze wrote:
> I think this is the point of confusion here. <use> is not allowed to have cross-origin references in my proposal.

That's what I thought, which is why I couldn't understand why you 
brought up the <use> example in the first place....

> I think there are three solutions:
>
> - remove basic shapes as part of clip-path property (I would dislike that.)
> - remove just the polygon function (This is actually the most useful one IMO.)
> - basic shapes do not have any affect on hit testing. If you want to include hit testing use <clipPath> (with CORS).

At least three more possible options:

- Don't worry about exfiltration via things explicitly intended to be clips.

- Disallow the polygon clip-path stuff only in cross-origin (no CORS) 
stylesheets.

- Disallow the clip-path property altogether in cross-origin (no CORS) 
stylesheets.

I think we should loop in the CSS working group here, since those last 
two options are a bit of a departure from the mental model most users 
have of CSS....

-Boris
Received on Sunday, 2 June 2013 13:37:23 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 2 June 2013 13:37:24 UTC