W3C home > Mailing lists > Public > public-css-archive@w3.org > July 2020

Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165)

From: Chris Harrelson via GitHub <sysbot+gh@w3.org>
Date: Wed, 01 Jul 2020 16:59:42 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-652537061-1593622781-sysbot+gh@w3.org>
I didn't see it stated very clearly clearly in this issue, so let me first state what I think the information leak is:

Developers can detect whether there is EXIF rotation information in an image by rendering it twice - once with `image-orientation: from-image` and one with `image-orientation: none`, and observing if there is a difference in the layout size of the result.

Therefore, for a cross-domain image, the developer can obtain one bit of information about these images.

However, don't sites already know multiple "bits of information" about cross-origin images, such as their width and height?

GitHub Notification of comment by chrishtr
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-652537061 using your GitHub account
Received on Wednesday, 1 July 2020 16:59:43 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:11 UTC