Re: [csswg-drafts] [css-shapes] Reconsider CORS limitation in CSS Shapes from L. David Baron via GitHub on 2017-05-30 (public-css-archive@w3.org from May 2017)

From: L. David Baron via GitHub <sysbot+gh@w3.org>
Date: Tue, 30 May 2017 22:29:49 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-305027228-1496183388-sysbot+gh@w3.org>

Other ways of using cross-domain images don't allow introspection into the contents of the image -- I think they only get access to the size.  With a url-defined shape, the page gets access to a good bit of detail about the pixel data.  There are pretty substantial security mechanisms in other parts of the Web platform (e.g., canvas tainting) to prevent this sort of information leakage from happening elsewhere.

It's possible the details here need to be tuned (e.g., use of anonymous mode vs other existing options vs. the proposal in whatwg/fetch#517), but I think a CORS check does need to happen for cross-domain images.

-- 
GitHub Notification of comment by dbaron
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1481#issuecomment-305027228 using your GitHub account

Received on Tuesday, 30 May 2017 22:29:56 UTC