W3C home > Mailing lists > Public > public-css-bugzilla@w3.org > April 2012

[Bug 16112] Address security concern with automatic shape extractions for images

From: <bugzilla@jessica.w3.org>
Date: Wed, 25 Apr 2012 22:22:46 +0000
To: public-css-bugzilla@w3.org
Message-Id: <E1SNAbm-0000YG-Nj@jessica.w3.org>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=16112

Alan Stearns <stearns@adobe.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |stearns@adobe.com

--- Comment #2 from Alan Stearns <stearns@adobe.com> 2012-04-25 22:22:46 UTC ---
Comment from Vincent from 16717:

The use of images as exclusion areas, especially when combined with the
shape-image-threshold property are a security concerns because through script,
malicious code could analyze the content of a cross domain image.

For example, if the attacker uses 1px x 1px inline elements around and inside
an image exclusion and uses script to find the position of the element,
information about the image will be leaked and will allow reconstruction of a
grayscale version of the image.

-- 
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 25 April 2012 22:22:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 25 April 2012 22:22:49 GMT