W3C home > Mailing lists > Public > public-css-archive@w3.org > July 2020

Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165)

From: Noam Rosenthal via GitHub <sysbot+gh@w3.org>
Date: Wed, 01 Jul 2020 17:09:18 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-652541940-1593623357-sysbot+gh@w3.org>
> I didn't see it stated very clearly clearly in this issue, so let me first state what I think the information leak is:
> Developers can detect whether there is EXIF rotation information in an image by rendering it twice - once with `image-orientation: from-image` and one with `image-orientation: none`, and observing if there is a difference in the layout size of the result.
> Therefore, for a cross-domain image, the developer can obtain one bit of information about these images.
Yes, and same for a potential implementation of image-resolution, and for querying image orientation from javascript (https://github.com/whatwg/html/issues/5602).

> However, don't sites already know multiple "bits of information" about cross-origin images, such as their width and height?
I think the only bits of information they know right now is an image's width and height. Is exposing related information such as orientation/density a problem? It's hard for me to fathom how that info can be used, but it's difficult to be certain.

GitHub Notification of comment by noamr
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-652541940 using your GitHub account
Received on Wednesday, 1 July 2020 17:09:21 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:11 UTC