Re: [filter-effects][css-masking] Move security model for resources to CSP

On Thu, May 30, 2013 at 12:35 AM, Robert O'Callahan
<robert@ocallahan.org> wrote:
> Note that if we do this, we'll need to continue to apply an origin check
> when filter/mask/clip/use/pattern etc refer to an element in an external
> document, at the time they use the element. Anne, can we make regular image
> loads record presence of an Access-Control-Allow-Origin header if the server
> sends one, without causing the load to fail if it happens to be cross-origin
> with no header?

There's no such concept right now. You either opt into CORS or you get
a tainted cross-origin request which cannot be untainted. Note this
would also be problematic with respect to cookies, unless you'll do
something different for those than tainted cross-origin requests do.


> Even if the spec allows it, that's going to be a pain to implement for us
> since there's currently no notion of delaying CORS-enabled origin checks in
> our code.

There's no such notion in spec-land either.


--
http://annevankesteren.nl/

Received on Thursday, 30 May 2013 13:10:55 UTC