Re: [filter-effects][css-masking] Move security model for resources to CSP

On 04/09/2013 06:51 AM, Dirk Schulze wrote:
> 
> On Apr 9, 2013, at 6:49 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> I suggest reading carefully through the bug Robert referenced and my
>> analyses in response. We discussed exactly this.
> 
> Great! To be honest it is a bit hard to follow.

(The relevant comments on the bug are comment 0 and comment 3. Comment 0
includes some attack scenarios, including one along the lines of your
Twitter avatar example, and Comment 3 mentions that same-origin
restrictions won't help, given that many sites have open redirectors
hosted at a same-origin URL.)

~Daniel

Received on Tuesday, 9 April 2013 16:32:54 UTC