W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Robert O'Callahan <robert@ocallahan.org>
Date: Tue, 9 Apr 2013 18:37:07 +1200
Message-ID: <CAOp6jLaOv0vJYfDg7+CzJXOtWKnveUrX_UF778yiOHap0fGz0A@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Dirk Schulze <dschulze@adobe.com>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Apr 9, 2013 at 5:43 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> In a later email I suggested not changing the fetching policy based on
> the presence of a fragment identifier and having a way to opt into a
> fetching policy that supports cross-origin masks instead (CORS). A way
> that matches how HTML has addressed this. That would also scale better
> if we introduced new types that have a CORS same-origin requirement
> that do not use a fragment.
>

Sure, we can introduce new CSS syntax to force resource loads to take one
path or another. But that doesn't resolve the conflicting requirements:
1) mask: url(foo.svg#mask) needs to be a CORS-enabled fetch, processed as
an external resource document
2) background-image: url(foo.svg) needs to be non-CORS-enabled fetch,
processed as a regular image load
3) mask-image: url(foo.svg) needs to behave just like background-image
4) 'mask' is shorthand for 'mask-image'
If we have to treat url(foo.svg) and url(foo.svg#mask) identically, then we
have to break one of the above requirements. Pick one.

Rob
-- 
q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq
qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq
qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq
qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q
qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq
qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"
Received on Tuesday, 9 April 2013 06:37:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC