Re: [filter-effects][css-masking] Move security model for resources to CSP

On Thu, May 30, 2013 at 2:34 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
> OK then, I think we'd have to use a regular non-CORS request and apply
> strict same-origin checking at time of use.

And on redirects? There's a same-origin mode for that. You could make
that CORS as well though if that's the default anyway.


> We could however mint a "cors-url(...)" CSS image value which does a CORS
> fetch and completely fails for cross-origin loads.

You want to succeed for cross-origin fetches if they opt into CORS,
no? But I'm not sure cors-url() is needed. It's only needed if the
default is tainted cross-origin fetches.


--
http://annevankesteren.nl/

Received on Thursday, 30 May 2013 13:53:01 UTC