W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: [filter-effects][css-masking] Move security model for resources to CSP

From: Dirk Schulze <dschulze@adobe.com>
Date: Fri, 31 May 2013 11:06:54 -0700
To: Boris Zbarsky <bzbarsky@MIT.EDU>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <86F37ABB-8098-486E-9223-6AAC5B31C672@adobe.com>

On May 31, 2013, at 11:05 AM, "Boris Zbarsky" <bzbarsky@MIT.EDU> wrote:

> On 5/31/13 1:51 PM, Dirk Schulze wrote:
>> It is just clipPath that influences hit testing and it would not be different to anything that you can do with the overflow, display, or clip properties.
> 
> overflow/display/clip properties can't leak much data, typically, while 
> arbitrary paths can (in fact in many SVG files the paths _are_ all the 
> data to have).  But if clipping is restricted to paths inside 
> <clipPath>, that helps a lot.  It looks like that's the case?

It is restricted to all information within the same document at the clipPath element. The document is tainted.

Greetings,
Dirk

> 
> -Boris
> 
Received on Friday, 31 May 2013 18:07:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC