W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Daniel Holbert <dholbert@mozilla.com>
Date: Tue, 09 Apr 2013 09:32:26 -0700
Message-ID: <5164429A.8090205@mozilla.com>
To: Dirk Schulze <dschulze@adobe.com>, Anne van Kesteren <annevk@annevk.nl>
CC: "robert@ocallahan.org" <robert@ocallahan.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 04/09/2013 06:51 AM, Dirk Schulze wrote:
> 
> On Apr 9, 2013, at 6:49 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> I suggest reading carefully through the bug Robert referenced and my
>> analyses in response. We discussed exactly this.
> 
> Great! To be honest it is a bit hard to follow.

(The relevant comments on the bug are comment 0 and comment 3. Comment 0
includes some attack scenarios, including one along the lines of your
Twitter avatar example, and Comment 3 mentions that same-origin
restrictions won't help, given that many sites have open redirectors
hosted at a same-origin URL.)

~Daniel
Received on Tuesday, 9 April 2013 16:32:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC