Re: [filter-effects][css-masking] Move security model for resources to CSP from Anne van Kesteren on 2013-04-06 (public-webappsec@w3.org from April 2013)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 6 Apr 2013 08:59:01 +0100
To: Dirk Schulze <dschulze@adobe.com>
Cc: "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADnb78j--=PcZ0WsaPWCHiOiNfPhCQtTFmU3ZPFL0HZz9J-puA@mail.gmail.com>

On Fri, Apr 5, 2013 at 8:19 PM, Dirk Schulze <dschulze@adobe.com> wrote:
> Ok, that would be all references (by url() function) to something else than an CSS Image for CSS Masking and Filter Effects. That can be detected on parse time.

Why? Scripts change that, no? What about the URLs in the SVG resources
these url()s can fetch?

> Reading the http://fetch.spec.whatwg.org spec, it seems that is what it tries to do. Is there something need on CSS Masking and Filter Effects? When do you think http://fetch.spec.whatwg.org can be referenced normatively? What should these spec do in the meantime?

First of all, you need to make sure that from whatever point you fetch
a resource (and that cannot be a blanket statement encompassing url()
in general, as it's also used for identifiers by mistake) you invoke
the fetch algorithm. For now I suppose you could try to prepare all
CSS specifications for that eventuality so they all at least refer to
a common algorithm for "obtaining a resource".

Then from what I understood with the problems with filters and masks
is that you need to keep track of all those resources fetches and if
one turns out to be tainted, the whole thing is. That seems like
something you can define. And given that CSS is not using CORS yet
(see below) I think that means that anything cross-origin is tainted
(now you probably should make an exception for data and blob URLs
unless they are the result of a redirect, also see the Fetch draft).

Then you need to decide what fetching policy you want for resources.
E.g. background-image:url() uses the "tainted cross-origin" (see
Fetch) as does <img> etc. To use CORS <img> requires an opt-in, <img
crossorigin>. Similarly you might want something like that in CSS.
E.g.

background-image:fetch(url(), policy)

where policy is some set of keywords TBD (I'm happy to help out).

Now on my end I'm working on a number of things, but one of my goals
for this quarter is to get Fetch 80% done, which basically means that
known outstanding issues are resolved.

>> (I explained this before in a SVG WG meeting at Adobe in Seattle.)
>
> According to the logs, you just attended one day [1][2][3]. I couldn't find a discussion about references and resource handling but maybe the minutes are incomplete. I was not in this meeting for myself.

Seems that might have been outside of the minutes then :-( Hopefully
the above helps.

--
http://annevankesteren.nl/

Received on Saturday, 6 April 2013 07:59:29 UTC