W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: on getting meta-data from images etc.

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 29 Aug 2008 00:21:05 +0200
To: "Dave Singer" <singer@apple.com>, public-html@w3.org
Message-ID: <op.ugma1fc564w2qv@annevk-t60.oslo.opera.com>

On Fri, 29 Aug 2008 00:09:00 +0200, Dave Singer <singer@apple.com> wrote:
> I believe (and someone can correct me if I am wrong) that DOM access to  
> image/video meta-data is problematic beause of cross-site scripting:   
> e.g. you design a page which you persuade me to load, that manages to  
> load an apple-internal image (which you can't see but I can) which is  
> titled "iPhone 5G desktop model", and your scripts extract that info.  
> from the image and send it back to you....

Yeah, you would only do that for same origin resources or non same origin  
resources that have opted in using the Access Control for Cross-Site  
Requests specification. (See eg how <canvas>.drawImage() and  
<canvas>.toDataURL() interact with respect to that, although they don't  
use the Access Control for Cross-Site Requests specification (yet).)

Anne van Kesteren
Received on Thursday, 28 August 2008 22:21:33 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:37 UTC