- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sat, 6 Apr 2013 08:59:01 +0100
- To: Dirk Schulze <dschulze@adobe.com>
- Cc: "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Apr 5, 2013 at 8:19 PM, Dirk Schulze <dschulze@adobe.com> wrote: > Ok, that would be all references (by url() function) to something else than an CSS Image for CSS Masking and Filter Effects. That can be detected on parse time. Why? Scripts change that, no? What about the URLs in the SVG resources these url()s can fetch? > Reading the http://fetch.spec.whatwg.org spec, it seems that is what it tries to do. Is there something need on CSS Masking and Filter Effects? When do you think http://fetch.spec.whatwg.org can be referenced normatively? What should these spec do in the meantime? First of all, you need to make sure that from whatever point you fetch a resource (and that cannot be a blanket statement encompassing url() in general, as it's also used for identifiers by mistake) you invoke the fetch algorithm. For now I suppose you could try to prepare all CSS specifications for that eventuality so they all at least refer to a common algorithm for "obtaining a resource". Then from what I understood with the problems with filters and masks is that you need to keep track of all those resources fetches and if one turns out to be tainted, the whole thing is. That seems like something you can define. And given that CSS is not using CORS yet (see below) I think that means that anything cross-origin is tainted (now you probably should make an exception for data and blob URLs unless they are the result of a redirect, also see the Fetch draft). Then you need to decide what fetching policy you want for resources. E.g. background-image:url() uses the "tainted cross-origin" (see Fetch) as does <img> etc. To use CORS <img> requires an opt-in, <img crossorigin>. Similarly you might want something like that in CSS. E.g. background-image:fetch(url(), policy) where policy is some set of keywords TBD (I'm happy to help out). Now on my end I'm working on a number of things, but one of my goals for this quarter is to get Fetch 80% done, which basically means that known outstanding issues are resolved. >> (I explained this before in a SVG WG meeting at Adobe in Seattle.) > > According to the logs, you just attended one day [1][2][3]. I couldn't find a discussion about references and resource handling but maybe the minutes are incomplete. I was not in this meeting for myself. Seems that might have been outside of the minutes then :-( Hopefully the above helps. -- http://annevankesteren.nl/
Received on Saturday, 6 April 2013 07:59:29 UTC