W3C home > Mailing lists > Public > public-css-archive@w3.org > May 2017

Re: [csswg-drafts] [css-shapes] Reconsider CORS limitation in CSS Shapes

From: Alan Stearns via GitHub <sysbot+gh@w3.org>
Date: Tue, 30 May 2017 22:59:21 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-305032478-1496185159-sysbot+gh@w3.org>
Copying a response I sent a while back to the www-style list:

I did not understand the [security] implications either, at first. While you can fairly promiscuously display an image with its alpha data on a web page, what you don't get is scripted access to the data. For the same reason that cross-origin images can taint a Canvas such that you cannot retrieve the pixel information, you should not be able to use shape-outside on untrusted pages to use cross-origin images. You can wrap arbitrarily-small text lines around the shape, allowing scripted access to the alpha data contours. Combined with filters that map arbitrary image data to the alpha channel, you'd get scripted access to all of the pixel data. It's that scripted access that we need to avoid exposing.

GitHub Notification of comment by astearns
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1481#issuecomment-305032478 using your GitHub account
Received on Tuesday, 30 May 2017 22:59:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 10:12:54 UTC