- From: fantasai <fantasai.lists@inkedblade.net>
- Date: Thu, 27 Jun 2013 18:28:57 -0700
- To: "www-style@w3.org" <www-style@w3.org>, www-svg <www-svg@w3.org>, "public-fx@w3.org" <public-fx@w3.org>
These are the official CSSWG minutes. Unless you're correcting the minutes, *Please respond by starting a new thread with an appropriate subject line.* Zoom Media Queries ------------------ Discussed SVG use case of including more details as user zooms in, e.g. on a map. While discussing how to solve this, it became clear that while people have some idea of how zooming is interpreted wrt Media Queries, the whole interaction of 'resolution' and resizing is vastly underdefined and needs work before we can sensibly add related new features. CSS Security ------------ Discussed possibilities of cross-site attacks via CSS. One case that krit brought up wrt importing shapes was dismissed as Not a Problem. Some others raised by roc & bz might need more thought and discussion. Shapes Dependencies ------------------- Brief discussion of SVG proposals' dependencies on Shapes and how to deal with that. ====== Full minutes ====== min-zoom/max-zoom Media Queries ------------------------------- <dbaron> Topic: min-zoom/max-zoom media queries fantasai: Isn't the point of zoom to magnify things [without changing them]? heycam: Some people using mapping content using SVG heycam: want to do some kind of detail control heycam: Suggested this would be something to handle via Media Queries heycam: Situation is some iframes, several levels deep, want to know the zoom level of this map tile heycam: Came back with proposal where you have min-zoom/max-zoom, which is the resulting scale factor from natural size of the thing heycam: e.g. have SVG image shown at 50% of intrinsic size Bert, dbaron: resolution/device-pixel-ratio ? heycam: Does that tell you that inner view is drawn at 4px per 1px of outer view? dbaron: Wrt device pixels heycam: ... See if that's what they need fantasai: it tells you the resolution fantasai: in device pixels per 'px', or 'in', or whatever heycam: asks for clarifications dbaron: It should work. Whether actually works in current implementations, might be a different <dbaron> Need to clarify behavior of 'resolution' media queries under transforms, especially if transforms non-axis-aligned fantasai: I would say, no, transforms don't affect media queries <dbaron> ...but does viewBox? dbaron: But resizing due to change in viewbox would dbaron: I don't know that the spec is clearly enough defined to answer all these questions. Probably should be. dbaron: As an implementor, just went with "this is reasonable, sort of agrees with other browsers, good enough for this week". But probably need to sort out this mess. dbaron: e.g. how does browser zoom ui work, particularly desktop vs. mobile, which have different concepts of zoom heycam: so if 'resolution' doesn't account for intermediate transforms, how amenable would you be to having one that does? krit: Designers want to have different details depending on zoom level cabanier: what about animations? heycam: If what you want to do is to turn on some detailed element at some zoom level, and you're animating the size of the thing, I imagine that's what you'd want to happen heycam: So maybe I go back to talk about whether resolution should work or not glazou: David, you said that resolution, same thing glazou: I think dealing with resolution will be extremely tricky for some Web designer, and dealing with number for min-zoom /max-zoom, would be much easier heycam: Yeah, author would want to say "here's how content looks at default size; at twice magnification, looks like this" glazou: Wrt transforms scaling, ok, you can do that, but in simple case of normal web page where user just pinches, want to show control of whether it's zoomed in or not, don't think resolution provides a good solution glazou: You can't distinguish between iPad Retina and tablet with zooming dbaron: Mobile browser zoom doesn't affect media queries, whereas desktop does dbaron: I agree with everything you said, glazou, but I also want to avoid duplication. dbaron: Think we need to be clear on all these things before adding more to them fantasai: There are basically two types of scaling, graphical and logical. fantasai: Sometimes you're just wanting to magnify what exists. Certain types of UI zoom, and transforms, fall into this category fantasai: Other times actually changing parameters of layout fantasai: Need to be clear on which effects go in which category. glazou: Zooming by user is a user constraint; zooming by author is an author constraint glazou: First one makes sense for zoom, second for resolution SimonSapin: What I think you mean is, the ratio between the intrinsic size of an image and the used size of the image element in the outer document SimonSapin: This does not account for transforms dbaron: Might need another editor of MQ 4 glazou: Florian is very busy right now, will have more time in a few months dbaron: Two big categories of changes that need to happen dbaron: We talked very briefly of doing syntax changes dbaron: To be closer to @supports dbaron: Other was adding queries to represent everything in media types, deprecating media types dbaron: But those are bigger things CSS Security ------------ <krit> https://dvcs.w3.org/hg/FXTF/raw-file/default/masking/index.html#the-clip-path krit: Security question wrt basic shape krit: Can use CSS shapes to define a clipping area krit: Here's an image, can define a clip path on it. krit: Can also be animated krit: Quite easy to apply this clip path krit: Problem is the following krit: Usually you have clip-path inline in your style sheet krit: Can also cross-reference path from a different domain krit: Suppose, e.g. style sheet on mybank.com krit: evil.com tries to reference it krit: question is, can any private data come from this style sheet krit: E.g. can evaluate the shape with pointer events krit: If you clip to circle, outside that doesn't contribute to clipping area krit: Suppose one domain uses clip path to show password or something krit: If you clip anything with this letter here, then the areas outside it don't contribute to hit testing krit: So could scan the clipping path and reingineer what the clip-path could look like dbaron: I think anyone using clip-path to use confidential data is doing it wrong. dbaron: If that's the attack, I'm not that worried about it! dbaron: I would be more worried about an attack that involved treating other data as pieces of a CSS style sheet dbaron: e.g. send someone an email message with some CSS in the subject dbaron: And then closing equivalent to that in another message dbaron: Could retrieve all the subjects in between by requesting a particular URL from Yahoo. dbaron: That I'd be worried about dbaron: But this I'm not worried about glazou: I'm not that worried... Alan asks about some other shape image thing krit: Very weird case. Only one I could come up with as an issue heycam: What if you had a style sheet that just had content property, did hit testing on content krit: That would be a bigger security issue. fantasai: Putting sensitive data in a style sheet's content property also makes no sense at all. heycam discusses other properties exposing things in the same way ... <heycam> My point is if you can show that you can already get some information by testing an element styled by a style sheet from another domain -- e.g. the content property -- then it's fine to have shapes in clip-path, since it's not opening the hole any further. krit: If we agree this is a security problem, then our options are to remove [...] dbaron: I think we pretty much agree that it's not a security problem we want to fix. <dbaron> (unless there's a worse case that we haven't heard yet) dbaron: We could put a note in the spec, that authors shouldn't put sensitive info in clip-path Alan, dino: Don't think this is an issue Bert: Position div for each pixel of your password <dbaron> http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0012.html dino: I don't know why we're even discussing this. Bert: Good to discuss, but I think we can conclude that this is a weird case we don't need to worry about RESOLVED: We don't care, unless bz can come up with something more convincing <dbaron> So I think Boris's concerns in that thread are actually somewhat different from that contrived bank case. <dbaron> maybe more like http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0008.html dbaron: Involves using clip-path on attacker site over <iframe> to victimize site. dbaron: That's more concerning. dbaron: But not useful to discuss here. dino: How is it more of a problem than overflow? dbaron: Not different. <dbaron> message from roc: http://lists.w3.org/Archives/Public/www-svg/2008Sep/0112.html krit: Boris is referencing a mail of roc. The problem that roc's describing has to do with feDisplacementMap that is based on pixel displacement by color value. In combination with the current defintion of 'pointer-events', it can influence hit testing in a way that it can be used to reveal privacy data. dbaron: The attack I described wasn't what bz described <dbaron> ... since bz was describing something that would be fixed by rejecting clip-path for cross-origin non-CORS style sheets <dbaron> which the attack of a site that controls a site's cross-origin style sheet and can simultaneously frame it isn't fixed by dbaron: This is stuff that needs to be thought about longer. We should be fine, I think. heycam: been awhile since roc's message. should someone look at that? CSS Shapes & co --------------- tav: Things we would most need from Exclusions and Shapes have been removed from latest drafts tav: shape-inside tav: And using SVG paths and shapes Alan: My plan for that is to have that in next level of CSS Shapes Alan: I'm trying to constrain first level of spec to stuff that is most immediately useful to CSS at the moment Alan: I don't think there's an issue with having your SVG work depend on Shapes level 2 instead of Shapes level 1 glazou: Problem is referencing a non-normative document glazou: Discussion in AC forum, W3C suggested references can only be W3C RECs. Document referencing WD can't go to REC plh: But can go to PR. Just can't go to REC. fantasai: I don't think this will be an issue. plh: For the record, Robin Berjon started a thread on chairs list wrt dependencies Alan: Noted, haven't created L2 document yet Alan: question of whether to make L2 doc to park these things in TabAtkins: Make sense. Just put <details class=obsolete> and note things TabAtkins: Maybe I'll rename the class
Received on Friday, 28 June 2013 01:29:33 UTC