W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Dirk Schulze <dschulze@adobe.com>
Date: Wed, 29 May 2013 16:06:04 -0700
To: "robert@ocallahan.org" <robert@ocallahan.org>
CC: Anne van Kesteren <annevk@annevk.nl>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>, Philip Rogers <pdr@google.com>
Message-ID: <974F969A-2ADA-44A4-A139-55F437F6470F@adobe.com>

On May 29, 2013, at 3:26 PM, Robert O'Callahan <robert@ocallahan.org> wrote:

> On Thu, May 30, 2013 at 6:48 AM, Dirk Schulze <dschulze@adobe.com> wrote:
> Maybe CSS and SVG should specify exactly that: No load of any external resources of an SVG file loaded as image. Exclusions of the restrictions can be specified later after more investigations.
> 
> If we do that, we prevent unification of "SVG image loads" and "SVG external resource document loads". Which is a desirable thing, to enable unifying "-webkit-mask" and SVG "mask" without hacks that make the load type dependent on a guess of whether you're referring to an SVG mask or an SVG image.
> 
> My latest thought on this is that maybe we should just change SVG external resource document loads to work like SVG image loads --- those external documents get no access to external resources of their own. On the face of it, this is a pretty bad compatibility break, but maybe it's OK since Webkit/Blink don't support SVG external resource document loads at all!

If we go the way of unifying, then a generalization of all IRIs in SVG might make sense too, including references of <use> element, references of all kind of paint servers, clip-paths, filters and masks.

Greetings,
Dirk

> 
> Rob
> -- 
> qqIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"
Received on Wednesday, 29 May 2013 23:06:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC