Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165)

I found a scenario in the related issue https://github.com/whatwg/html/pull/5574 where some indirect means can be used to figure out the image's resolution. See [this comment](https://github.com/whatwg/html/pull/5574#issuecomment-654100058). I am convinced that this needs to be addressed.

Recapping the two current proposals (following IRC discussion with @annevk):
1. Ignore metadata for opaque-response images
1. Bake the metadata in for opaque-response images (e.g. rotate and scale the image but ignore that notion when applying CSS rotation/srcset scaling). 

In either case, a cross-origin image might appear different depending on which origin is embedding it. In (1), it will appear different by default. In (2), it will appear different only in certain cases. e.g. when CSS `image-rotation`, `image-resolution` or `srcset` is being used, or in future scenarios that we are not yet aware of.

Also both (1) and (2) would require changes in current implementations, as `image-orientation: none` is already shipped.

I believe that (1) is easier to implement and grasp, however, it would have a higher chance of breaking some current sites using EXIF-rotated images (if the images are cross-origin and don't have the CORS headers).

-- 
GitHub Notification of comment by noamr
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-654127723 using your GitHub account

Received on Monday, 6 July 2020 09:38:28 UTC