W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

[Css-images] Re: CSS fetch integration

From: Henrik Andersson <henke@henke37.cjb.net>
Date: Tue, 27 Sep 2016 12:14:33 +0200
To: Jonathan Kingston <jonathan@jooped.co.uk>, www-style@w3.org, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <57EA4689.5010106@henke37.cjb.net>
Jonathan Kingston skrev:
> Hi WebAppSec and CSSWG,
>
> As part of the latest SRI spec work, there is a desire to put SRI
> capabilities within CSS[1]. However this would be made simpler with a
> closer integration of CSS with the fetch API on any <url> type properties.
>
> So I have started a draft [2], which I thought I would should share in
> it's very rough stage to prevent it from stagnating.
>
> The draft covers a rough direction of how all <url> types will behave
> when integrated with CSS, it also covers some of the further
> specification of how referrer headers are handled within CSS.
>
> The draft also at the end covers the use of integrity and crossorigin
> URL modifiers to be used in conjunction with the url data type to
> restrict sub resources with the same checks as is possible in HTML.
>
> Feel free to respond here on thoughts and file issues on Github [3].
>
> Thanks
>
> [1]
> https://github.com/w3c/webappsec-subresource-integrity/issues/40#issuecomment-247964962
> [2] https://jonathankingston.github.io/css-fetch-integration/
> [3]
> https://github.com/jonathanKingston/css-fetch-integration/tree/gh-pages
>

I think this will be an excellent opportunity to clarify what CSS-Images
[1] means with "If the UA cannot download, parse, or otherwise
successfully display the contents at the URL as an image".
In particular with the corner case of an image request having a response
with a 404 reply code, but an image type response body. HTML has some
non obvious ideas about this. [2] "Whether the image is fetched
successfully or not (e.g., whether the response status was an ok status
<https://fetch.spec.whatwg.org/#ok-status>) must be ignored when
determining the image’s type and whether it is a valid image." Unnatural
as it is, authors probably expect CSS and HTML images to be have
identically in this corner situation.

[1] https://www.w3.org/TR/css3-images/#invalid-image
[2]
http://w3c.github.io/html/semantics-embedded-content.html#fully-decodable
Received on Tuesday, 27 September 2016 10:16:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC