Re: [filter-effects][css-masking] Move security model for resources to CSP from Anne van Kesteren on 2013-06-01 (public-webappsec@w3.org from June 2013)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 1 Jun 2013 08:52:34 +0100
To: Dirk Schulze <dschulze@adobe.com>
Cc: "robert@ocallahan.org" <robert@ocallahan.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>, Philip Rogers <pdr@google.com>
Message-ID: <CADnb78iFwWKQyzDkrj-1v37XsjkNc0aMYpp8JQASnptMVuMuOw@mail.gmail.com>

On Thu, May 30, 2013 at 3:32 PM, Dirk Schulze <dschulze@adobe.com> wrote:
> As far as I know CSS stylesheets do not follow strict cross origin restrictions. Why would SVG resources need to do it?

Note that not having those restrictions has led to various serious
security issues over the years. If we can make these fetches always
use the CORS mode that should be done.


--
http://annevankesteren.nl/

Received on Saturday, 1 June 2013 07:53:05 UTC