W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 30 May 2013 14:52:27 +0100
Message-ID: <CADnb78j627SNnqPeFSYa=2TrBQO-CjUE9UnzriPOsnD1dxTN7Q@mail.gmail.com>
To: "Robert O'Callahan" <robert@ocallahan.org>
Cc: Dirk Schulze <dschulze@adobe.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>, Philip Rogers <pdr@google.com>
On Thu, May 30, 2013 at 2:34 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
> OK then, I think we'd have to use a regular non-CORS request and apply
> strict same-origin checking at time of use.

And on redirects? There's a same-origin mode for that. You could make
that CORS as well though if that's the default anyway.

> We could however mint a "cors-url(...)" CSS image value which does a CORS
> fetch and completely fails for cross-origin loads.

You want to succeed for cross-origin fetches if they opt into CORS,
no? But I'm not sure cors-url() is needed. It's only needed if the
default is tainted cross-origin fetches.

Received on Thursday, 30 May 2013 13:53:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC