W3C home > Mailing lists > Public > www-style@w3.org > June 2013

[css-shapes] restricting <uri> in shape-outside to CORS-same-origin?

From: Alan Stearns <stearns@adobe.com>
Date: Fri, 7 Jun 2013 03:39:33 -0700
To: W3C Style <www-style@w3.org>
CC: Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CDD7E775.3AE5C%stearns@adobe.com>
The CSS Shapes draft allows you to use the alpha channel of an image to
create a shape to define a float area [1]. Since content wraps around that
shape, the shape can be resolved using tiny content lines. This creates a
security risk - one example given was an image showing a bar graph of a
bank account's assets. So we should restrict which images can contribute
their alpha channel shapes to shape-outside.

Currently, the <uri> value of shape-outside is defined as:

---
If the <uri> references an image,
the shape is extracted and computed
based on the alpha channel of the
specified image. If the <uri> does
not reference an image, the effect
is as if the value Œautoš had been
specified.
---

Would it be sufficient to change the definition to this?

---
If the <uri> references an image
which is CORS-same-origin,
the shape is extracted and computed
based on the alpha channel of the
specified image. If the <uri> does
not reference an image or if it
references an image which is not
CORS-same-origin, the effect
is as if the value Œautoš had been
specified.
---

I'm assuming I would link CORS-same-origin to
http://fetch.spec.whatwg.org/#cors-same-origin


Thanks,

Alan

[1] http://dev.w3.org/csswg/css-shapes/#shapes-from-image
Received on Friday, 7 June 2013 10:40:14 UTC

This archive was generated by hypermail 2.3.1 : Friday, 7 June 2013 10:40:14 UTC