Re: [filter-effects][css-masking] Move security model for resources to CSP from Robert O'Callahan on 2013-04-10 (public-fx@w3.org from April to June 2013)

From: Robert O'Callahan <robert@ocallahan.org>
Date: Wed, 10 Apr 2013 21:18:15 +1200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Dirk Schulze <dschulze@adobe.com>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>
Message-ID: <CAOp6jLa5mhcz3-JrBLe5_F08Y_Z49kxZQRFsTuLkq-GXST1vzg@mail.gmail.com>

On Wed, Apr 10, 2013 at 8:51 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> If we accept the need for a sandbox domain, same-origin loads becomes
> an option I think. And actually, even in the face of an open redirect
> you could fail flat the moment the target URL becomes cross-origin and
> not fetch it. Several APIs on the platform have a request mode of
> same-origin  (different from tainted cross-origin, which will fetch)
> with an opt in availability for CORS.
>

So we need to turn all kinds of external loads into CORS same-origin loads?

That sounds like it would work, but be quite invasive to spec and implement.

Rob
-- 
q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq
qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq
qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq
qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q
qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq
qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"

Received on Wednesday, 10 April 2013 09:18:42 UTC