W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Dirk Schulze <dschulze@adobe.com>
Date: Fri, 5 Apr 2013 11:26:22 -0700
To: Anne van Kesteren <annevk@annevk.nl>
CC: "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <7A5639D9-260B-4425-A904-6E6D98CD0682@adobe.com>

On Apr 5, 2013, at 2:56 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Apr 5, 2013 at 6:58 AM, Dirk Schulze <dschulze@adobe.com> wrote:
>> CSS Masking and Filter Effects describe a security model ... Content Security Policy (CSP) spec.
> The drafts are referencing CORS instead, which seems more appropriate
> for what is going on. We are protecting the resource that is being
> loaded right, not the page itself?

It is the same as JavaScript from a different origin. The problem is that a document can reference resources:

<mask id="mask"></mask>
<p class="mask: url(#mask)">...</p>

The resources can be from a different origin. Since the resources affect the visual output, the same security restrictions as for JavaScript should apply. That is what Firefox does.

Do you think that this is covered by CORS already?


> --
> http://annevankesteren.nl/
Received on Friday, 5 April 2013 18:27:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC