W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 5 Apr 2013 19:36:27 +0100
Message-ID: <CADnb78hNrQzAwgZSoc5S_v1A4Nmk72E_+UjCUEyV-fE+f_=tMQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Dirk Schulze <dschulze@adobe.com>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Apr 5, 2013 at 1:02 PM, Mike West <mkwst@google.com> wrote:
> I'd agree. It does seem, however, that these should also be subject to CSP
> restrictions, above and beyond the target origin enabling access via CORS.
> Does tying the resource loads to the 'style-src' directive make sense?

Anything fetched via url() should be subject to that already I think.
Not entirely sure about SVG xlink:href pointers. I suspect treating
most of those as style-src makes sense, but not e.g. <svg:script

Received on Friday, 5 April 2013 18:37:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC