I'd agree. It does seem, however, that these should also be subject to CSP
restrictions, above and beyond the target origin enabling access via CORS.
Does tying the resource loads to the 'style-src' directive make sense?
-mike
--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
On Fri, Apr 5, 2013 at 11:56 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Fri, Apr 5, 2013 at 6:58 AM, Dirk Schulze <dschulze@adobe.com> wrote:
> > CSS Masking and Filter Effects describe a security model ... Content
> Security Policy (CSP) spec.
>
> The drafts are referencing CORS instead, which seems more appropriate
> for what is going on. We are protecting the resource that is being
> loaded right, not the page itself?
>
>
> --
> http://annevankesteren.nl/
>
>