Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165)

I didn't see it stated very clearly clearly in this issue, so let me first state what I think the information leak is:

Developers can detect whether there is EXIF rotation information in an image by rendering it twice - once with `image-orientation: from-image` and one with `image-orientation: none`, and observing if there is a difference in the layout size of the result.

Therefore, for a cross-domain image, the developer can obtain one bit of information about these images.

However, don't sites already know multiple "bits of information" about cross-origin images, such as their width and height?

GitHub Notification of comment by chrishtr
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 1 July 2020 16:59:43 UTC