W3C home > Mailing lists > Public > public-css-archive@w3.org > August 2020

Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165)

From: Noam Rosenthal via GitHub <sysbot+gh@w3.org>
Date: Tue, 25 Aug 2020 12:27:11 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-679993654-1598358430-sysbot+gh@w3.org>
I tend to see the point that orientation/resolution are difficult to obfuscate from the embedder, as they are essentially "embedding instructions".

Perhaps the general discussion about "metadata" is wrong. A resource exposes several types of data:
- Instructions to the embedder, like preferred-size/orientation
- its own content, including pixel data and things like GPS data, camera information and XMP tags
- Information about how the content is served (like timing)

Seems to me that when we try to mix the first type with the second type, we get to requirements that are difficult/impossible to implement: The embedder still needs to know the size/orientation because correctly displaying other content depends on it, but we try to hide that information to avoid cross-origin information leakage.

We can go for interesting but complex solutions like making `image-orientation` inert in some cases, but as commented, it creates a web compatibility headache.

From what I hear, as long as image orientation is respected, and `image-orientation` css is used for backwards compatibility, IMO there is no solution but to close this issue and let that leakage be. (intrinsic image resolution is a different story, as it doesn't have significant backwards compatibility implications).

GitHub Notification of comment by noamr
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-679993654 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 25 August 2020 12:27:13 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:13 UTC