- From: Lea Verou <lea@w3.org>
- Date: Tue, 18 Jun 2013 16:47:24 -0400
- To: Alan Stearns <stearns@adobe.com>
- Cc: W3C Style <www-style@w3.org>, Anne van Kesteren <annevk@annevk.nl>
I think it would be less trouble for authors if the shape was rendered correctly, but could not be read from getComputedStyle() or anything similar, akin to what happens with :visited styles. Wouldn’t that be equally secure? Lea Verou W3C developer relations http://w3.org/people/all#lea ✿ http://lea.verou.me ✿ @leaverou On Jun 7, 2013, at 06:39, Alan Stearns <stearns@adobe.com> wrote: > The CSS Shapes draft allows you to use the alpha channel of an image to > create a shape to define a float area [1]. Since content wraps around that > shape, the shape can be resolved using tiny content lines. This creates a > security risk - one example given was an image showing a bar graph of a > bank account's assets. So we should restrict which images can contribute > their alpha channel shapes to shape-outside. > > Currently, the <uri> value of shape-outside is defined as: > > --- > If the <uri> references an image, > the shape is extracted and computed > based on the alpha channel of the > specified image. If the <uri> does > not reference an image, the effect > is as if the value Œauto¹ had been > specified. > --- > > Would it be sufficient to change the definition to this? > > --- > If the <uri> references an image > which is CORS-same-origin, > the shape is extracted and computed > based on the alpha channel of the > specified image. If the <uri> does > not reference an image or if it > references an image which is not > CORS-same-origin, the effect > is as if the value Œauto¹ had been > specified. > --- > > I'm assuming I would link CORS-same-origin to > http://fetch.spec.whatwg.org/#cors-same-origin > > > Thanks, > > Alan > > [1] http://dev.w3.org/csswg/css-shapes/#shapes-from-image > >
Received on Tuesday, 18 June 2013 20:47:28 UTC