Re: [css-shapes] restricting <uri> in shape-outside to CORS-same-origin?

On Tue, Jun 18, 2013 at 1:47 PM, Lea Verou <lea@w3.org> wrote:
> I think it would be less trouble for authors if the shape was rendered correctly, but could not be read from getComputedStyle() or anything similar, akin to what happens with :visited styles. Wouldn’t that be equally secure?

:visited is a special case, because we restrict things such that a
rule with :visited in it can only apply a small whitelist of styles
which we can reasonably lie about.  There's no reasonable way to lie
about the shape's effect on layout.

~TJ

Received on Wednesday, 19 June 2013 07:03:36 UTC