W3C home > Mailing lists > Public > www-style@w3.org > June 2013

Re: [css-shapes] restricting <uri> in shape-outside to CORS-same-origin?

From: Lea Verou <lea@w3.org>
Date: Tue, 18 Jun 2013 16:47:24 -0400
Cc: W3C Style <www-style@w3.org>, Anne van Kesteren <annevk@annevk.nl>
Message-Id: <CDACA209-866F-4FEF-8F06-ABBF7479A453@w3.org>
To: Alan Stearns <stearns@adobe.com>
I think it would be less trouble for authors if the shape was rendered correctly, but could not be read from getComputedStyle() or anything similar, akin to what happens with :visited styles. Wouldn’t that be equally secure?


Lea Verou
W3C developer relations
http://w3.org/people/all#leahttp://lea.verou.me ✿ @leaverou






On Jun 7, 2013, at 06:39, Alan Stearns <stearns@adobe.com> wrote:

> The CSS Shapes draft allows you to use the alpha channel of an image to
> create a shape to define a float area [1]. Since content wraps around that
> shape, the shape can be resolved using tiny content lines. This creates a
> security risk - one example given was an image showing a bar graph of a
> bank account's assets. So we should restrict which images can contribute
> their alpha channel shapes to shape-outside.
> 
> Currently, the <uri> value of shape-outside is defined as:
> 
> ---
> If the <uri> references an image,
> the shape is extracted and computed
> based on the alpha channel of the
> specified image. If the <uri> does
> not reference an image, the effect
> is as if the value Œauto¹ had been
> specified.
> ---
> 
> Would it be sufficient to change the definition to this?
> 
> ---
> If the <uri> references an image
> which is CORS-same-origin,
> the shape is extracted and computed
> based on the alpha channel of the
> specified image. If the <uri> does
> not reference an image or if it
> references an image which is not
> CORS-same-origin, the effect
> is as if the value Œauto¹ had been
> specified.
> ---
> 
> I'm assuming I would link CORS-same-origin to
> http://fetch.spec.whatwg.org/#cors-same-origin
> 
> 
> Thanks,
> 
> Alan
> 
> [1] http://dev.w3.org/csswg/css-shapes/#shapes-from-image
> 
> 
Received on Tuesday, 18 June 2013 20:47:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 18 June 2013 20:47:28 UTC