- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sun, 02 Jun 2013 09:36:54 -0400
- To: Dirk Schulze <dschulze@adobe.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 6/2/13 12:20 AM, Dirk Schulze wrote: > I think this is the point of confusion here. <use> is not allowed to have cross-origin references in my proposal. That's what I thought, which is why I couldn't understand why you brought up the <use> example in the first place.... > I think there are three solutions: > > - remove basic shapes as part of clip-path property (I would dislike that.) > - remove just the polygon function (This is actually the most useful one IMO.) > - basic shapes do not have any affect on hit testing. If you want to include hit testing use <clipPath> (with CORS). At least three more possible options: - Don't worry about exfiltration via things explicitly intended to be clips. - Disallow the polygon clip-path stuff only in cross-origin (no CORS) stylesheets. - Disallow the clip-path property altogether in cross-origin (no CORS) stylesheets. I think we should loop in the CSS working group here, since those last two options are a bit of a departure from the mental model most users have of CSS.... -Boris
Received on Sunday, 2 June 2013 13:37:23 UTC