Re: [filter-effects][css-masking] Move security model for resources to CSP

On May 30, 2013, at 7:05 AM, Robert O'Callahan <robert@ocallahan.org> wrote:

> On Fri, May 31, 2013 at 1:52 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, May 30, 2013 at 2:34 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
> > OK then, I think we'd have to use a regular non-CORS request and apply
> > strict same-origin checking at time of use.
> 
> And on redirects? There's a same-origin mode for that. You could make
> that CORS as well though if that's the default anyway.
> 
> 
> > We could however mint a "cors-url(...)" CSS image value which does a CORS
> > fetch and completely fails for cross-origin loads.
> 
> You want to succeed for cross-origin fetches if they opt into CORS,
> no? But I'm not sure cors-url() is needed. It's only needed if the
> default is tainted cross-origin fetches.
> 
> That's what images currently do, so I think that needs to be the default.

Daniel Holbert asked me an interesting question yesterday: Do external SVG resources (filter, mask, clip-path) behave like stylesheets? And I think they do. With all the restriction in place that you suggested earlier (no secondary resource load of the external SVG resource), is there a strong need to handle SVG resources differently than CSS stylesheets? As far as I know CSS stylesheets do not follow strict cross origin restrictions. Why would SVG resources need to do it?

Greetings,
Dirk

> 
> Rob
> -- 
> q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"

Received on Thursday, 30 May 2013 14:33:59 UTC