W3C home > Mailing lists > Public > public-css-archive@w3.org > June 2020

Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165)

From: Anne van Kesteren via GitHub <sysbot+gh@w3.org>
Date: Fri, 05 Jun 2020 09:59:56 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-639381068-1591351195-sysbot+gh@w3.org>
@noamr again, it's not just overriding, it's also reading as linked above. There's various different ways this will end up being exposed.

@heycam how do we model it in such a way that we don't need security checks all over?

I guess what we could do is that we take the orientation into account for decoding purposes, but don't store it as a field on the resulting image if it was generated from an opaque response. So it appears rotated, but if you query its metadata it'll return the default orientation values.

The tricky aspect is when metadata can be overridden, as it can be here. If the internal representation still has non-default metadata you would need to take that into account somehow. I.e., if an image was rotated 90 degrees and an API asked for it not to be rotated, it would have to remain rotated at 90 degrees. Model-wise that follows from the preceding paragraph, but in implementations that might be a bit trickier.

-- 
GitHub Notification of comment by annevk
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-639381068 using your GitHub account
Received on Friday, 5 June 2020 09:59:58 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 19 October 2021 01:31:27 UTC