W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 8 Apr 2013 15:28:57 +0100
Message-ID: <CADnb78hz5_LrkPO4E8p4DRw-_avtoA7zPqfGx8HkNSPjKSj64A@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: Dirk Schulze <dschulze@adobe.com>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Apr 6, 2013 at 10:02 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> * Anne van Kesteren wrote:
>>That sounds fucked up. Deciding the fetching policy based on the
>>presence of a fragment identifier in the URL is a severe layering
>>violation. What if we introduce a fragment identifier to crop an
> http://www.w3.org/TR/css3-images/#image-notation proposes a `image(...)`
> functional notation that can be used where `url(...)` does not suffice,
> and SVG 1.0 and http://www.w3.org/TR/media-frags/ already provide such
> functionality, which can be used in combination with `image(...)`. I've
> http://lists.w3.org/Archives/Public/www-style/2013Mar/0190.html argued
> that there should be an example using `image(...)` in the masking draft
> to avoid this particular confusion.

Even so that would still mean CSS will have this fragment identifier
presence determines processing behavior bug. Clearly a new syntax
should have been used for masks, e.g. mask(url)...

Received on Monday, 8 April 2013 14:29:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC