W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 8 Apr 2013 15:40:15 +0100
Message-ID: <CADnb78gSnCEgn+M_H-2yUF+11PqAm9GWiTUawOUhekEOq=bTeA@mail.gmail.com>
To: Dirk Schulze <dschulze@adobe.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Apr 8, 2013 at 3:33 PM, Dirk Schulze <dschulze@adobe.com> wrote:
> On Apr 8, 2013, at 7:28 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>> On Sat, Apr 6, 2013 at 10:02 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
>> Even so that would still mean CSS will have this fragment identifier
>> presence determines processing behavior bug. Clearly a new syntax
>> should have been used for masks, e.g. mask(url)...
> We try to solve problems, not to create new.

But this is a problem and it is new.

> CSS Masking combines the existing mask syntax of SVG (with url()) with the existing prefixed mask-image/mask syntax in WebKit (and now Blink) based browsers. A simple way would be to download the resource and check the type then and proceed depending on the data type. Firefox people asked for a solution to verify on interpreting the property value / URI during parsing.

That WebKit landed a security bug sounds like the source of the
problem here. Does WebKit not consider this a security bug? (And that
we suggested that particular solution, ewww.)

Received on Monday, 8 April 2013 14:40:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC