Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165)

> > OTOH CSS-loaded images don't leak any of the metadata information as the image's size is not readable and doesn't affect layout.
> 
> They do, fwiw - `::before { content: url(...); }` creates an anonymous replaced box containing the specified image, which will affect layout (or makes the pseudo-element itself into a replaced element containing the image, to the same effect).
Good point, thanks.

> 
> > In either case, a cross-origin image might appear different depending on which origin is embedding it. In (1), it will appear different by default. In (2), it will appear different only in certain cases. e.g. when CSS image-rotation, image-resolution or srcset is being used, or in future scenarios that we are not yet aware of.
> 
> Just because it'll still allow images to look correct by default, I lean strongly toward (2). Each potentially-exposed bit of metadata just needs to define a "default" value that it'll masquerade as for the purpose of in-page manipulations. This is trivial for orientation, but I guess resolution will have to pretend to be 1x? That'll break srcset (it'll density-correct images _twice_), but that might be unavoidable here.

Resolution would have to pretend that the image has the density requested by the srcset, or `1dppx` if it's not in srcset.

I think this is totally doable, given a mechanism allowing servers to allow it as opt-in (be it a new header or CORP).

-- 
GitHub Notification of comment by noamr
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-660527137 using your GitHub account

Received on Saturday, 18 July 2020 19:05:49 UTC