Re: [css-shapes] restricting <uri> in shape-outside to CORS-same-origin?

On Jun 7, 2013, at 3:39 AM, Alan Stearns <stearns@adobe.com> wrote:

> The CSS Shapes draft allows you to use the alpha channel of an image to
> create a shape to define a float area [1]. Since content wraps around that
> shape, the shape can be resolved using tiny content lines. This creates a
> security risk - one example given was an image showing a bar graph of a
> bank account's assets. So we should restrict which images can contribute
> their alpha channel shapes to shape-outside.
> 
> Currently, the <uri> value of shape-outside is defined as:
> 
> ---
> If the <uri> references an image,
> the shape is extracted and computed
> based on the alpha channel of the
> specified image. If the <uri> does
> not reference an image, the effect
> is as if the value Œauto¹ had been
> specified.
> ---
> 
> Would it be sufficient to change the definition to this?
> 
> ---
> If the <uri> references an image
> which is CORS-same-origin,
> the shape is extracted and computed
> based on the alpha channel of the
> specified image. If the <uri> does
> not reference an image or if it
> references an image which is not
> CORS-same-origin, the effect
> is as if the value Œauto¹ had been
> specified.
> ---
> 
> I'm assuming I would link CORS-same-origin to
> http://fetch.spec.whatwg.org/#cors-same-origin

Have you done anything to account for 'element()' images? It would be useful for wrapping around letter forms, but it would be another way to get at an image that was not CORS-same-origin.

Received on Friday, 7 June 2013 14:28:00 UTC