- From: Dirk Schulze <dschulze@adobe.com>
- Date: Wed, 5 Jun 2013 21:35:06 -0700
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Jun 2, 2013, at 10:36 PM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote: > On 6/2/13 12:20 AM, Dirk Schulze wrote: >> I think this is the point of confusion here. <use> is not allowed to have cross-origin references in my proposal. > > That's what I thought, which is why I couldn't understand why you > brought up the <use> example in the first place.... > >> I think there are three solutions: >> >> - remove basic shapes as part of clip-path property (I would dislike that.) >> - remove just the polygon function (This is actually the most useful one IMO.) >> - basic shapes do not have any affect on hit testing. If you want to include hit testing use <clipPath> (with CORS). > > At least three more possible options: > > - Don't worry about exfiltration via things explicitly intended to be clips. > > - Disallow the polygon clip-path stuff only in cross-origin (no CORS) > stylesheets. > > - Disallow the clip-path property altogether in cross-origin (no CORS) > stylesheets. > > I think we should loop in the CSS working group here, since those last > two options are a bit of a departure from the mental model most users > have of CSS…. The CSS WG discussed this topic during the joined F2F meeting with the SVG WG on Wednesday. The CSS WG did not see a strong enough threat to special case or restrict the clip-path property with basic shapes. See minutes of the meeting [1]. Greetings, Dirk [1] http://logs.csswg.org/irc.w3.org/css/?date=2013-06-04 > > -Boris
Received on Thursday, 6 June 2013 04:35:42 UTC