- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 9 Apr 2013 07:54:35 +0100
- To: "Robert O'Callahan" <robert@ocallahan.org>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Dirk Schulze <dschulze@adobe.com>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Apr 9, 2013 at 7:37 AM, Robert O'Callahan <robert@ocallahan.org> wrote: > Sure, we can introduce new CSS syntax to force resource loads to take one > path or another. But that doesn't resolve the conflicting requirements: > 1) mask: url(foo.svg#mask) needs to be a CORS-enabled fetch, processed as an > external resource document > 2) background-image: url(foo.svg) needs to be non-CORS-enabled fetch, > processed as a regular image load > 3) mask-image: url(foo.svg) needs to behave just like background-image > 4) 'mask' is shorthand for 'mask-image' > If we have to treat url(foo.svg) and url(foo.svg#mask) identically, then we > have to break one of the above requirements. Pick one. You say "needs to be". Does that mean there's wiggle room given current implementations? As I said before, they could all use "tainted cross-origin" as fetching model and for returned mask resources that means they will not work if marked CORS cross-origin. If you want untainted mask resources you'd have to use new syntax that opts into the "CORS" fetching model which gives you CORS same-origin resources or a network error. -- http://annevankesteren.nl/
Received on Tuesday, 9 April 2013 07:01:12 UTC