W3C home > Mailing lists > Public > www-style@w3.org > June 2013

Re: [css-shapes] restricting <uri> in shape-outside to CORS-same-origin?

From: Alan Stearns <stearns@adobe.com>
Date: Tue, 18 Jun 2013 14:01:18 -0700
To: Lea Verou <lea@w3.org>
CC: W3C Style <www-style@w3.org>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CDE617CE.2C55C%stearns@adobe.com>
On 6/18/13 1:47 PM, "Lea Verou" <lea@w3.org> wrote:

>I think it would be less trouble for authors if the shape was rendered
>correctly, but could not be read from getComputedStyle() or anything
>similar, akin to what happens with :visited styles. Wouldnąt that be
>equally secure?

That's the case as specified now. You don't get the shape information in
getComputedStyle() - you just get the URL. The vulnerability comes from
when you wrap content around the shape. When the lines around the shape
'render correctly' the positions of the lines reveal the shape contour.


Received on Tuesday, 18 June 2013 21:02:01 UTC

This archive was generated by hypermail 2.4.0 : Monday, 23 January 2023 02:14:28 UTC