W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Dirk Schulze <dschulze@adobe.com>
Date: Fri, 5 Apr 2013 12:19:04 -0700
To: Anne van Kesteren <annevk@annevk.nl>
CC: "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <5868CBAC-916A-4F43-851B-3ABAE2D389E6@adobe.com>

On Apr 5, 2013, at 11:34 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Apr 5, 2013 at 7:26 PM, Dirk Schulze <dschulze@adobe.com> wrote:
>> On Apr 5, 2013, at 2:56 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>> The drafts are referencing CORS instead, which seems more appropriate
>>> for what is going on. We are protecting the resource that is being
>>> loaded right, not the page itself?
>> 
>> It is the same as JavaScript from a different origin.
> 
> No it's not.
> 
> 
>> The problem is that a document can reference resources:
>> 
>> <mask id="mask"></mask>
>> <p class="mask: url(#mask)">...</p>
>> 
>> The resources can be from a different origin. Since the resources affect the visual output, the same security restrictions as for JavaScript should apply. That is what Firefox does.
>> 
>> Do you think that this is covered by CORS already?
> 
> No.
> 
> For each external resource you load you need to track whether it gets
> marked as CORS cross-origin or not.

Ok, that would be all references (by url() function) to something else than an CSS Image for CSS Masking and Filter Effects. That can be detected on parse time.

> The mechanics for fetching are not
> entirely in place yet, but http://fetch.spec.whatwg.org/ is the start.
> If any resource is CORS cross-origin it's tainted. Then you probably
> want a way to opt into cross-origin fetching using CORS so a resource
> that is cross-origin can be marked CORS same-origin. That requires
> changes to the pieces that initiate the fetching, e.g. url() above.

Reading the http://fetch.spec.whatwg.org spec, it seems that is what it tries to do. Is there something need on CSS Masking and Filter Effects? When do you think http://fetch.spec.whatwg.org can be referenced normatively? What should these spec do in the meantime?

> 
> (I explained this before in a SVG WG meeting at Adobe in Seattle.)

According to the logs, you just attended one day [1][2][3]. I couldn't find a discussion about references and resource handling but maybe the minutes are incomplete. I was not in this meeting for myself.

Greetings,
Dirk

[1] http://lists.w3.org/Archives/Public/www-svg/2011Jul/0077.html
[2] http://lists.w3.org/Archives/Public/www-svg/2011Jul/0078.html
[3] http://lists.w3.org/Archives/Public/www-svg/2011Jul/0092.html

> 
> 
> --
> http://annevankesteren.nl/
Received on Friday, 5 April 2013 19:19:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC