W3C home > Mailing lists > Public > www-style@w3.org > June 2013

Re: [css-shapes] restricting <uri> in shape-outside to CORS-same-origin?

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Wed, 19 Jun 2013 00:02:48 -0700
Message-ID: <CAAWBYDANQeUVfVnQDBSPaRDFBaOUjQUo1y2eJWu13f-+vJz3Og@mail.gmail.com>
To: Lea Verou <lea@w3.org>
Cc: Alan Stearns <stearns@adobe.com>, W3C Style <www-style@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On Tue, Jun 18, 2013 at 1:47 PM, Lea Verou <lea@w3.org> wrote:
> I think it would be less trouble for authors if the shape was rendered correctly, but could not be read from getComputedStyle() or anything similar, akin to what happens with :visited styles. Wouldn’t that be equally secure?

:visited is a special case, because we restrict things such that a
rule with :visited in it can only apply a small whitelist of styles
which we can reasonably lie about.  There's no reasonable way to lie
about the shape's effect on layout.

Received on Wednesday, 19 June 2013 07:03:36 UTC

This archive was generated by hypermail 2.4.0 : Monday, 23 January 2023 02:14:29 UTC