W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Dirk Schulze <dschulze@adobe.com>
Date: Wed, 5 Jun 2013 21:35:06 -0700
To: Boris Zbarsky <bzbarsky@MIT.EDU>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <283C5084-B41C-4551-BACE-B3C6B4FAA887@adobe.com>

On Jun 2, 2013, at 10:36 PM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:

> On 6/2/13 12:20 AM, Dirk Schulze wrote:
>> I think this is the point of confusion here. <use> is not allowed to have cross-origin references in my proposal.
> 
> That's what I thought, which is why I couldn't understand why you 
> brought up the <use> example in the first place....
> 
>> I think there are three solutions:
>> 
>> - remove basic shapes as part of clip-path property (I would dislike that.)
>> - remove just the polygon function (This is actually the most useful one IMO.)
>> - basic shapes do not have any affect on hit testing. If you want to include hit testing use <clipPath> (with CORS).
> 
> At least three more possible options:
> 
> - Don't worry about exfiltration via things explicitly intended to be clips.
> 
> - Disallow the polygon clip-path stuff only in cross-origin (no CORS) 
> stylesheets.
> 
> - Disallow the clip-path property altogether in cross-origin (no CORS) 
> stylesheets.
> 
> I think we should loop in the CSS working group here, since those last 
> two options are a bit of a departure from the mental model most users 
> have of CSS….

The CSS WG discussed this topic during the joined F2F meeting with the SVG WG on Wednesday. The CSS WG did not see a strong enough threat to special case or restrict the clip-path property with basic shapes. See minutes of the meeting [1].

Greetings,
Dirk

[1] http://logs.csswg.org/irc.w3.org/css/?date=2013-06-04


> 

> -Boris
Received on Thursday, 6 June 2013 04:35:42 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 6 June 2013 04:35:43 UTC