- From: Stephan Sokolow via GitHub <sysbot+gh@w3.org>
- Date: Sat, 07 Oct 2017 17:48:40 +0000
- To: public-css-archive@w3.org
> The only reason to add a CSS property is if we think that page authors need this control, and such control is common enough that things like <gif-player> aren't sufficient. Correct me if I'm wrong, but doesn't the same-origin poiicy render `<gif-player>` inapplicable for disabling animation on externally-hosted images from domains that don't set an appropriate CORS policy? Also, the argument for using components like `<gif-player>` gives me serious concerns for user uploads, since it would basically require replacing every `<img>` tag with custom in-JavaScript infrastructure to retrieve the image, identify whether it's in a format the browser's native support might animate, and then feed it to a JavaScript-based AniGIF/APNG/etc. renderer if necessary. Not only does that seem far too convoluted for something which is effectively a "troll security" measure to protect against users trying to disrupt other users' browsing experience (much like how one should use CSS to prevent user-submitted long strings of characters from causing changes to the layout beyond the scope of their post), it also seems like a potential performance issue and a decision which would disincentivize doing the right thing. (And it would also be a solution ill-suited to "simple, static, meant-for-reading" pages (forums, wikis, etc.) where every other bit of mitigation for user-submitted content shenanigans can be implemented readily without resorting to client-side JavaScript.) In that latter case, it encourages people like me to take the risk of feeding all user-provided image content through server-side reprocessing to strip extra frames. (At the risk of exposing a vulnerability in the underlying image library which might be leveraged into an exploit across all browsers which visit the site.) -- GitHub Notification of comment by ssokolow Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1615#issuecomment-334953725 using your GitHub account
Received on Saturday, 7 October 2017 17:48:31 UTC