Re: [filter-effects][css-masking] Move security model for resources to CSP

On Tue, Apr 9, 2013 at 5:43 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> In a later email I suggested not changing the fetching policy based on
> the presence of a fragment identifier and having a way to opt into a
> fetching policy that supports cross-origin masks instead (CORS). A way
> that matches how HTML has addressed this. That would also scale better
> if we introduced new types that have a CORS same-origin requirement
> that do not use a fragment.
>

Sure, we can introduce new CSS syntax to force resource loads to take one
path or another. But that doesn't resolve the conflicting requirements:
1) mask: url(foo.svg#mask) needs to be a CORS-enabled fetch, processed as
an external resource document
2) background-image: url(foo.svg) needs to be non-CORS-enabled fetch,
processed as a regular image load
3) mask-image: url(foo.svg) needs to behave just like background-image
4) 'mask' is shorthand for 'mask-image'
If we have to treat url(foo.svg) and url(foo.svg#mask) identically, then we
have to break one of the above requirements. Pick one.

Rob
-- 
q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq
qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq
qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq
qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q
qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq
qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"

Received on Tuesday, 9 April 2013 06:37:36 UTC