Re: [filter-effects][css-masking] Move security model for resources to CSP

On Fri, May 31, 2013 at 1:52 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, May 30, 2013 at 2:34 PM, Robert O'Callahan <robert@ocallahan.org>
> wrote:
> > OK then, I think we'd have to use a regular non-CORS request and apply
> > strict same-origin checking at time of use.
>
> And on redirects? There's a same-origin mode for that. You could make
> that CORS as well though if that's the default anyway.
>
>
> > We could however mint a "cors-url(...)" CSS image value which does a CORS
> > fetch and completely fails for cross-origin loads.
>
> You want to succeed for cross-origin fetches if they opt into CORS,
> no? But I'm not sure cors-url() is needed. It's only needed if the
> default is tainted cross-origin fetches.
>

That's what images currently do, so I think that needs to be the default.

Rob
-- 
q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq
qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq
qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq
qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q
qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq
qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"

Received on Thursday, 30 May 2013 14:06:24 UTC