W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Robert O'Callahan <robert@ocallahan.org>
Date: Thu, 30 May 2013 10:26:30 +1200
Message-ID: <CAOp6jLZ929r+f4dpJcTtbxA_NQxEgYp-2EwgNdkFnDsNLVH5og@mail.gmail.com>
To: Dirk Schulze <dschulze@adobe.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>, Philip Rogers <pdr@google.com>
On Thu, May 30, 2013 at 6:48 AM, Dirk Schulze <dschulze@adobe.com> wrote:

> Maybe CSS and SVG should specify exactly that: No load of any external
> resources of an SVG file loaded as image. Exclusions of the restrictions
> can be specified later after more investigations.
>

If we do that, we prevent unification of "SVG image loads" and "SVG
external resource document loads". Which is a desirable thing, to enable
unifying "-webkit-mask" and SVG "mask" without hacks that make the load
type dependent on a guess of whether you're referring to an SVG mask or an
SVG image.

My latest thought on this is that maybe we should just change SVG external
resource document loads to work like SVG image loads --- those external
documents get no access to external resources of their own. On the face of
it, this is a pretty bad compatibility break, but maybe it's OK since
Webkit/Blink don't support SVG external resource document loads at all!

Rob
-- 
q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq
qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq
qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq
qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q
qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq
qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"
Received on Wednesday, 29 May 2013 22:27:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC