W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Dirk Schulze <dschulze@adobe.com>
Date: Wed, 29 May 2013 11:48:39 -0700
To: "robert@ocallahan.org" <robert@ocallahan.org>
CC: Anne van Kesteren <annevk@annevk.nl>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>, Philip Rogers <pdr@google.com>
Message-ID: <1F06BC72-A0D2-4CA6-AF2E-AA768A99E017@adobe.com>

On Apr 10, 2013, at 2:18 AM, Robert O'Callahan <robert@ocallahan.org> wrote:

> On Wed, Apr 10, 2013 at 8:51 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> If we accept the need for a sandbox domain, same-origin loads becomes
> an option I think. And actually, even in the face of an open redirect
> you could fail flat the moment the target URL becomes cross-origin and
> not fetch it. Several APIs on the platform have a request mode of
> same-origin  (different from tainted cross-origin, which will fetch)
> with an opt in availability for CORS.
> So we need to turn all kinds of external loads into CORS same-origin loads?
> That sounds like it would work, but be quite invasive to spec and implement.

To recapitulate:

This threat currently focuses on SVGs as image resources and if there are ways to let an SVG image load further resources. An initial test for <img> and CSS Images actually shows that Firefox and Chrome block any external resources of an SVG image right away - independent if the resource has the same origin or not. The bug reports on Chrome [1] and Firefox [2] and this thread actually confirm that.

Maybe CSS and SVG should specify exactly that: No load of any external resources of an SVG file loaded as image. Exclusions of the restrictions can be specified later after more investigations.

Is that something we can agree initially?


[1] https://code.google.com/p/chromium/issues/detail?id=234082#c8
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=628747

> Rob
> -- 
> qqIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"
Received on Wednesday, 29 May 2013 18:49:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC