Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165) from Noam Rosenthal via GitHub on 2020-07-15 (public-css-archive@w3.org from July 2020)

From: Noam Rosenthal via GitHub <sysbot+gh@w3.org>
Date: Wed, 15 Jul 2020 09:46:32 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-658667180-1594806390-sysbot+gh@w3.org>

> I found a scenario in the related issue [whatwg/html#5574](https://github.com/whatwg/html/pull/5574) where some indirect means can be used to figure out the image's resolution. See [this comment](https://github.com/whatwg/html/pull/5574#issuecomment-654100058). I am convinced that this needs to be addressed.
> 
> Recapping the two current proposals (following IRC discussion with @annevk):
> 
> 1. Ignore metadata for opaque-response images
> 2. Bake the metadata in for opaque-response images (e.g. rotate and scale the image but ignore that notion when applying CSS rotation/srcset scaling).
> 
> In either case, a cross-origin image might appear different depending on which origin is embedding it. In (1), it will appear different by default. In (2), it will appear different only in certain cases. e.g. when CSS `image-rotation`, `image-resolution` or `srcset` is being used, or in future scenarios that we are not yet aware of.
> 
> Also both (1) and (2) would require changes in current implementations, as `image-orientation: none` is already shipped.
> 
> I believe that (1) is easier to implement and grasp, however, it would have a higher chance of breaking some current sites using EXIF-rotated images (if the images are cross-origin and don't have the CORS headers).

Blocking metadata with CORS completely could cause an issue I haven't thought of earlier - it means that CSS-loaded images can't use orientation/resolution, as those don't expose a `crossorigin` attribute (which is currently only meaningful for canvas drawing). OTOH CSS-loaded images don't leak any of the metadata information as the image's size is not readable and doesn't affect layout.

In addition, it would require regular images to start including `crossorigin` when using a CDN, just to have their image displayed correctly. That doesn't seem reasonable.

As today so many images are CDN-delivered and don't bother with a `crossorigin` attribute (or can't because the image is CSS-loaded), I think it's a blocker for using (1) - it would make image orientation and resolution less than usable.

`CORP` seems less suitable as it's meant to block embedding at all, not just reading of metadata.

I believe that this should be blocked with an additional HTTP header (yikes), similar to `Timing-Allow-Origin`, or not at all - servers who want to offer this kind of protection to their images can bake the metadata into that image and not expose it.




-- 
GitHub Notification of comment by noamr
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-658667180 using your GitHub account

Received on Wednesday, 15 July 2020 09:46:33 UTC