- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 5 Apr 2013 19:34:26 +0100
- To: Dirk Schulze <dschulze@adobe.com>
- Cc: "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Apr 5, 2013 at 7:26 PM, Dirk Schulze <dschulze@adobe.com> wrote: > On Apr 5, 2013, at 2:56 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >> The drafts are referencing CORS instead, which seems more appropriate >> for what is going on. We are protecting the resource that is being >> loaded right, not the page itself? > > It is the same as JavaScript from a different origin. No it's not. > The problem is that a document can reference resources: > > <mask id="mask">…</mask> > <p class="mask: url(#mask)">...</p> > > The resources can be from a different origin. Since the resources affect the visual output, the same security restrictions as for JavaScript should apply. That is what Firefox does. > > Do you think that this is covered by CORS already? No. For each external resource you load you need to track whether it gets marked as CORS cross-origin or not. The mechanics for fetching are not entirely in place yet, but http://fetch.spec.whatwg.org/ is the start. If any resource is CORS cross-origin it's tainted. Then you probably want a way to opt into cross-origin fetching using CORS so a resource that is cross-origin can be marked CORS same-origin. That requires changes to the pieces that initiate the fetching, e.g. url() above. (I explained this before in a SVG WG meeting at Adobe in Seattle.) -- http://annevankesteren.nl/
Received on Friday, 5 April 2013 18:34:58 UTC