W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 8 Apr 2013 16:59:07 +0100
Message-ID: <CADnb78j9AMsW-n_RWmBXDqEJU7DBmRBha4_VA=szdGTLgFpKrA@mail.gmail.com>
To: Dirk Schulze <dschulze@adobe.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Apr 8, 2013 at 4:51 PM, Dirk Schulze <dschulze@adobe.com> wrote:
> On Apr 8, 2013, at 8:02 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>> Whether the harm is great or not we can judge in hindsight. However,
>> it seems pretty clear to me that having a different fetching model
>> based upon the fragment identifier in the URL, which exists exactly
>> nowhere in the platform today, is not ideal and will lead to a great
>> deal of confusion.
>>
>> What I could see working: You keep the default "tainted cross-origin"
>> model for url() but do nothing special for fragment identifiers. If
>> the fetched resource is an image, it being CORS cross-origin does not
>> matter. If it is a mask, it does. You then add a way to enable CORS
>> requests using e.g. fetch(url, crossorigin) or some such similarly to
>> how HTML enabled a couple of elements to do just that.
>
> I agree, this was and still is my preferred way. To interpret the downloaded resource. However, it was a direct request of Mozilla to differ at parse time before downloading.

Did the request come with rationale? I suppose they're on this list
and can reply to us :-)


--
http://annevankesteren.nl/
Received on Monday, 8 April 2013 15:59:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC