W3C home > Mailing lists > Public > public-css-archive@w3.org > October 2020

Re: [csswg-drafts] [css-color-4] Security: handling of color-profiles (#5552)

From: Chris Lilley via GitHub <sysbot+gh@w3.org>
Date: Mon, 05 Oct 2020 12:05:19 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-703587843-1601899518-sysbot+gh@w3.org>
> Do you envision any special treatment of these requests by content security policy?

Currently, CSS accesses external resources such as fonts, images, color profiles via the `url()` function. We have discussed specifying a similar but more full-featured function, (tentatively called `src()`)which is CORS-aware and usable with CSP, plus some other improvements like usabiity with string concatenation. This would provide a consistent improvement for all external resources referenced from CSS, rather than solving it multiple times:

 - [[css-values] Define crossorigin, preload and async URL modifiers](https://github.com/w3c/csswg-drafts/issues/1603)
 - [[css-values][all] Define all URL usages in terms of Fetch](https://github.com/w3c/csswg-drafts/issues/562)
 - [[css-font-loading] unclear how CSP interacts with font loads](https://github.com/w3c/csswg-drafts/issues/2113)
 - [[css-fonts-3] [css-fonts-4] Font fetching in anonymous mode makes it impossible to link to fonts behind authentication ](https://github.com/w3c/csswg-drafts/issues/3194)
 - [[css-values] Add url() alias that does not accept unquoted URLs](https://github.com/w3c/csswg-drafts/issues/541)

So I guess the answer to your question is "we are working on that, and the solution will not be specific to color profiles"

-- 
GitHub Notification of comment by svgeesus
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5552#issuecomment-703587843 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 5 October 2020 12:05:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:20 UTC