W3C home > Mailing lists > Public > public-css-archive@w3.org > October 2020

Re: [csswg-drafts] [css-color-4] Security: handling of color-profiles (#5552)

From: Chris Lilley via GitHub <sysbot+gh@w3.org>
Date: Mon, 05 Oct 2020 12:05:19 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-703587843-1601899518-sysbot+gh@w3.org>
> Do you envision any special treatment of these requests by content security policy?

Currently, CSS accesses external resources such as fonts, images, color profiles via the `url()` function. We have discussed specifying a similar but more full-featured function, (tentatively called `src()`)which is CORS-aware and usable with CSP, plus some other improvements like usabiity with string concatenation. This would provide a consistent improvement for all external resources referenced from CSS, rather than solving it multiple times:

 - [[css-values] Define crossorigin, preload and async URL modifiers](https://github.com/w3c/csswg-drafts/issues/1603)
 - [[css-values][all] Define all URL usages in terms of Fetch](https://github.com/w3c/csswg-drafts/issues/562)
 - [[css-font-loading] unclear how CSP interacts with font loads](https://github.com/w3c/csswg-drafts/issues/2113)
 - [[css-fonts-3] [css-fonts-4] Font fetching in anonymous mode makes it impossible to link to fonts behind authentication ](https://github.com/w3c/csswg-drafts/issues/3194)
 - [[css-values] Add url() alias that does not accept unquoted URLs](https://github.com/w3c/csswg-drafts/issues/541)

So I guess the answer to your question is "we are working on that, and the solution will not be specific to color profiles"

GitHub Notification of comment by svgeesus
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5552#issuecomment-703587843 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 5 October 2020 12:05:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:20 UTC