W3C home > Mailing lists > Public > public-css-bugzilla@w3.org > February 2012

[Bug 16112] New: Address security concern with automatic shape extractions for images

From: <bugzilla@jessica.w3.org>
Date: Fri, 24 Feb 2012 18:34:38 +0000
To: public-css-bugzilla@w3.org
Message-ID: <bug-16112-5148@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=16112

           Summary: Address security concern with automatic shape
                    extractions for images
           Product: CSS
           Version: unspecified
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Exclusions
        AssignedTo: vhardy@adobe.com
        ReportedBy: vhardy@adobe.com
         QAContact: public-css-bugzilla@w3.org
                CC: eoconnor@apple.com, ratan@microsoft.com


>From Alex Chiculita:

CSS exclusions shapes extracted from images have security issues that we need
to address in the spec. The leak is pretty easy to demonstrate, you just need
to reference an image from a remote domain as the exclusion shape and set the
line-height of the content to 1px. If enough text content is provided, the
bounding rectangles of the lines of text can be used to reconstruct the
original image. The image created using this technique has just 2 colors (black
& white), but the threshold can be used to obtain multiple snapshots, so
grayscale representations can be extrapolated.  I think CORS can save us with
this one, too.

-- 
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Friday, 24 February 2012 18:34:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 24 February 2012 18:34:45 GMT