Re: [filter-effects][css-masking] Move security model for resources to CSP from Anne van Kesteren on 2013-05-30 (public-fx@w3.org from April to June 2013)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 30 May 2013 14:52:27 +0100
To: "Robert O'Callahan" <robert@ocallahan.org>
Cc: Dirk Schulze <dschulze@adobe.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>, Philip Rogers <pdr@google.com>
Message-ID: <CADnb78j627SNnqPeFSYa=2TrBQO-CjUE9UnzriPOsnD1dxTN7Q@mail.gmail.com>

On Thu, May 30, 2013 at 2:34 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
> OK then, I think we'd have to use a regular non-CORS request and apply
> strict same-origin checking at time of use.

And on redirects? There's a same-origin mode for that. You could make
that CORS as well though if that's the default anyway.

> We could however mint a "cors-url(...)" CSS image value which does a CORS
> fetch and completely fails for cross-origin loads.

You want to succeed for cross-origin fetches if they opt into CORS,
no? But I'm not sure cors-url() is needed. It's only needed if the
default is tainted cross-origin fetches.

--
http://annevankesteren.nl/

Received on Thursday, 30 May 2013 13:52:59 UTC