Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165) from Chris Harrelson via GitHub on 2020-07-01 (public-css-archive@w3.org from July 2020)

From: Chris Harrelson via GitHub <sysbot+gh@w3.org>
Date: Wed, 01 Jul 2020 16:59:42 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-652537061-1593622781-sysbot+gh@w3.org>

I didn't see it stated very clearly clearly in this issue, so let me first state what I think the information leak is:

Developers can detect whether there is EXIF rotation information in an image by rendering it twice - once with `image-orientation: from-image` and one with `image-orientation: none`, and observing if there is a difference in the layout size of the result.

Therefore, for a cross-domain image, the developer can obtain one bit of information about these images.

However, don't sites already know multiple "bits of information" about cross-origin images, such as their width and height?

-- 
GitHub Notification of comment by chrishtr
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-652537061 using your GitHub account

Received on Wednesday, 1 July 2020 16:59:43 UTC