W3C home > Mailing lists > Public > public-css-archive@w3.org > July 2020

Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165)

From: Yoav Weiss via GitHub <sysbot+gh@w3.org>
Date: Mon, 06 Jul 2020 08:01:08 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-654080602-1594022466-sysbot+gh@w3.org>
One concrete scenario that can be problematic:
PhotoSharing.example allows non-CORS cross-origin fetching of credentialed images, but only for logged-in users or users that belong to a certain group (which the image was shared with).
PhotoSharing.example already knows about the `width` and `height` leak, as well as timing attacks that may result from it not serving the image in the disallowed cases. As a result, it creates an empty image with the same dimensions and makes sure that the response timing looks similar to the real deal (without setting Timing-Allow-Origin on neither image).

But, if the original image contains orientation or resolution information, adding those capabilities would surprise PhotoSharing folks and cause them to potentially expose log-in state or group affiliation across origins.

It seems like this is a problem that will go away when browsers limit cross-origin credentials, but we're not there yet.
 
Would it make sense to only respect orientation/resolution for CORP enabled images? CORP seems like a clear signal saying the image can be embedded. I wonder what would be the impact of that on deployability.

/cc @eeeps @mikewest @arturjanc

-- 
GitHub Notification of comment by yoavweiss
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-654080602 using your GitHub account
Received on Monday, 6 July 2020 08:01:13 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:11 UTC