W3C home > Mailing lists > Public > public-css-archive@w3.org > May 2017

Re: [csswg-drafts] [css-shapes] Reconsider CORS limitation in CSS Shapes

From: L. David Baron via GitHub <sysbot+gh@w3.org>
Date: Tue, 30 May 2017 22:29:49 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-305027228-1496183388-sysbot+gh@w3.org>
Other ways of using cross-domain images don't allow introspection into the contents of the image -- I think they only get access to the size.  With a url-defined shape, the page gets access to a good bit of detail about the pixel data.  There are pretty substantial security mechanisms in other parts of the Web platform (e.g., canvas tainting) to prevent this sort of information leakage from happening elsewhere.

It's possible the details here need to be tuned (e.g., use of anonymous mode vs other existing options vs. the proposal in whatwg/fetch#517), but I think a CORS check does need to happen for cross-domain images.

-- 
GitHub Notification of comment by dbaron
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1481#issuecomment-305027228 using your GitHub account
Received on Tuesday, 30 May 2017 22:29:56 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:41:13 UTC