- From: Alan Stearns <stearns@adobe.com>
- Date: Fri, 7 Jun 2013 03:39:33 -0700
- To: W3C Style <www-style@w3.org>
- CC: Anne van Kesteren <annevk@annevk.nl>
The CSS Shapes draft allows you to use the alpha channel of an image to create a shape to define a float area [1]. Since content wraps around that shape, the shape can be resolved using tiny content lines. This creates a security risk - one example given was an image showing a bar graph of a bank account's assets. So we should restrict which images can contribute their alpha channel shapes to shape-outside. Currently, the <uri> value of shape-outside is defined as: --- If the <uri> references an image, the shape is extracted and computed based on the alpha channel of the specified image. If the <uri> does not reference an image, the effect is as if the value autoš had been specified. --- Would it be sufficient to change the definition to this? --- If the <uri> references an image which is CORS-same-origin, the shape is extracted and computed based on the alpha channel of the specified image. If the <uri> does not reference an image or if it references an image which is not CORS-same-origin, the effect is as if the value autoš had been specified. --- I'm assuming I would link CORS-same-origin to http://fetch.spec.whatwg.org/#cors-same-origin Thanks, Alan [1] http://dev.w3.org/csswg/css-shapes/#shapes-from-image
Received on Friday, 7 June 2013 10:40:14 UTC