Re: [filter-effects][css-masking] Move security model for resources to CSP

On Fri, May 31, 2013 at 1:10 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, May 30, 2013 at 12:35 AM, Robert O'Callahan
> <robert@ocallahan.org> wrote:
> > Note that if we do this, we'll need to continue to apply an origin check
> > when filter/mask/clip/use/pattern etc refer to an element in an external
> > document, at the time they use the element. Anne, can we make regular
> image
> > loads record presence of an Access-Control-Allow-Origin header if the
> server
> > sends one, without causing the load to fail if it happens to be
> cross-origin
> > with no header?
>
> There's no such concept right now. You either opt into CORS or you get
> a tainted cross-origin request which cannot be untainted. Note this
> would also be problematic with respect to cookies, unless you'll do
> something different for those than tainted cross-origin requests do.
>

OK then, I think we'd have to use a regular non-CORS request and apply
strict same-origin checking at time of use.

We could however mint a "cors-url(...)" CSS image value which does a CORS
fetch and completely fails for cross-origin loads.

Rob
-- 
q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq
qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq
qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq
qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q
qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq
qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"

Received on Thursday, 30 May 2013 13:34:59 UTC