W3C home > Mailing lists > Public > public-css-bugzilla@w3.org > April 2012

[Bug 16717] New: Security issue with image exclusions

From: <bugzilla@jessica.w3.org>
Date: Thu, 12 Apr 2012 21:58:01 +0000
To: public-css-bugzilla@w3.org
Message-ID: <bug-16717-5148@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=16717

           Summary: Security issue with image exclusions
           Product: CSS
           Version: unspecified
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Exclusions
        AssignedTo: vhardy@adobe.com
        ReportedBy: vhardy@adobe.com
         QAContact: public-css-bugzilla@w3.org
                CC: eoconnor@apple.com, ratan@microsoft.com


The use of images as exclusion areas, especially when combined with the
shape-image-threshold property are a security concerns because through script,
malicious code could analyze the content of a cross domain image.

For example, if the attacker uses 1px x 1px inline elements around and inside
an image exclusion and uses script to find the position of the element,
information about the image will be leaked and will allow reconstruction of a
grayscale version of the image.

-- 
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Thursday, 12 April 2012 21:58:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 12 April 2012 21:58:04 GMT