- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sat, 6 Apr 2013 18:20:36 +0100
- To: Dirk Schulze <dschulze@adobe.com>
- Cc: "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Apr 6, 2013 at 5:16 PM, Dirk Schulze <dschulze@adobe.com> wrote: > I mean mask-image: url(…);. In CSS Masking the URI could be an CSS Image or a reference to a resource. Accepted resources are just <mask> elements and the URI must have an fragment identifier for the previously named property. The existence of a fragment identifier decides if we have strict rules, or use the same rules as for images (which do not have restrictions to the origin). That sounds fucked up. Deciding the fetching policy based on the presence of a fragment identifier in the URL is a severe layering violation. What if we introduce a fragment identifier to crop an image? > How can scripts change that? (I thought we were talking about a related problem. Whether SVG taints <canvas> or not.) > For images, there are no restrictions on resources at all. Well in terms of fetching and in terms of what you can do e.g. with the image on <canvas> there's definitely tainting going on. You may of course decide to ignore the tainting if the operation is "safe" (like showing the image to the user). -- http://annevankesteren.nl/
Received on Saturday, 6 April 2013 17:21:06 UTC