W3C home > Mailing lists > Public > public-css-archive@w3.org > September 2020

Re: [csswg-drafts] [css-color-4] Security: handling of color-profiles (#5552)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Mon, 28 Sep 2020 18:47:05 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-700214982-1601318824-sysbot+gh@w3.org>
> Are the .icc files listed in the color-profile meant to be retrieved and parsed in real time?

Yes. The "track a user" concern is identical to any resource specified in CSS, tho - in particular, images like `background-image`.  

The "malicious payload" concern is relative to whatever parsers browsers use for their ICC parsing - a broken parser is def an issue, but it's also a clear bug. I'm not sure - how severe is this kind of thing? It's part of any new file format being introduced, right?

> Are .icc files something that browsers already parse or is this a file-format that is new to them? Can these files contain any "scripts" or "code"?

New file format.

Dunno about their contents - @svgeesus?

> Can a script determine if the profile was used or if a fallback was used?

Yes. Can you elaborate on how it enables fingerprinting? The only profiles available are those predefined by the spec, and those explicitly loaded by the page. The latter aren't a fingerprinting vector - they're the same for everyone visiting the page - and the former is the generic "new features aren't supported by old browsers, and thus allow UA detection" leak intrinsic to the entire web platform.

> How would color-profiles interact with content security policy?

The interaction between CSS's resource loading and CSP is ill-defined in general right now, but I *suspect* this interacts identically to CSS image loading.

GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5552#issuecomment-700214982 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 28 September 2020 18:47:07 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:17 UTC