W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Dirk Schulze <dschulze@adobe.com>
Date: Wed, 10 Apr 2013 06:43:47 -0700
To: "robert@ocallahan.org" <robert@ocallahan.org>
CC: Anne van Kesteren <annevk@annevk.nl>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>
Message-ID: <05B1FEAE-9F58-46A5-A390-85F17BFE2D63@adobe.com>

On Apr 10, 2013, at 2:18 AM, "Robert O'Callahan" <robert@ocallahan.org<mailto:robert@ocallahan.org>> wrote:

On Wed, Apr 10, 2013 at 8:51 PM, Anne van Kesteren <annevk@annevk.nl<mailto:annevk@annevk.nl>> wrote:
If we accept the need for a sandbox domain, same-origin loads becomes
an option I think. And actually, even in the face of an open redirect
you could fail flat the moment the target URL becomes cross-origin and
not fetch it. Several APIs on the platform have a request mode of
same-origin  (different from tainted cross-origin, which will fetch)
with an opt in availability for CORS.

So we need to turn all kinds of external loads into CORS same-origin loads?

That sounds like it would work, but be quite invasive to spec and implement.

It also affects a lot of specifications: CSS3 Images, SVG, Filter Effects and of course CSS Masking. In the future it could be CSS Text Decoration as well. (when fill and stroke get specified to apply on text.)

Greetings
Dirk


Rob
--
q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"
Received on Wednesday, 10 April 2013 13:45:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC