W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Robert O'Callahan <robert@ocallahan.org>
Date: Tue, 9 Apr 2013 22:54:05 +1200
Message-ID: <CAOp6jLZrvX0eP6rt8-zeFdCJQaCeHxG7+Vt4b4uk+5xGtJEOmw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Dirk Schulze <dschulze@adobe.com>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Apr 9, 2013 at 6:54 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> You say "needs to be". Does that mean there's wiggle room given
> current implementations? As I said before, they could all use "tainted
> cross-origin" as fetching model and for returned mask resources that
> means they will not work if marked CORS cross-origin.

That's an incompatible change for cross-origin SVG resources served with
Access-Control-Allow-Origin. I suppose usage is low enough that is probably
acceptable. So I think your approach to unifying the fetch algorithm could
work OK.

The remaining problem is "processed as an external resource document" vs
"processed as a regular image load". For security reasons we restrict SVG
image documents severely: in particular they may not trigger any kind of
external load (e.g. images) of their own. On the other hand, SVG external
resource documents are treated more leniently; they may load external
images and other (same-origin) SVG external resource documents. I don't
think we could maintain this distinction with your proposal. We can't relax
the constraints on SVG image documents, so we'd have to severely restrict
SVG external resource documents loaded via url(). They aren't currently
used much (Webkit doesn't support them at all) so we could do that, but it
would mean altering the SVG spec in incompatible ways and there might be
content that breaks.

And I'd really want to try implementing it before committing to this
approach, since there might be lurking problems.

q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq
qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq
qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq
qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q
qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq
qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"
Received on Tuesday, 9 April 2013 10:54:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC