Re: [filter-effects][css-masking] Move security model for resources to CSP from Mike West on 2013-04-05 (public-webappsec@w3.org from April 2013)

From: Mike West <mkwst@google.com>
Date: Fri, 5 Apr 2013 14:02:55 +0200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Dirk Schulze <dschulze@adobe.com>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=fv2FL1pD6m44HR9e6msqjo7mzN86hz=UbAW71N2tAoww@mail.gmail.com>

I'd agree. It does seem, however, that these should also be subject to CSP
restrictions, above and beyond the target origin enabling access via CORS.

Does tying the resource loads to the 'style-src' directive make sense?

-mike

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

On Fri, Apr 5, 2013 at 11:56 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Apr 5, 2013 at 6:58 AM, Dirk Schulze <dschulze@adobe.com> wrote:
> > CSS Masking and Filter Effects describe a security model ... Content
> Security Policy (CSP) spec.
>
> The drafts are referencing CORS instead, which seems more appropriate
> for what is going on. We are protecting the resource that is being
> loaded right, not the page itself?
>
>
> --
> http://annevankesteren.nl/
>
>

Received on Friday, 5 April 2013 12:03:48 UTC