Re: [csswg-drafts] [css-color-4] Security: handling of color-profiles (#5552)

> Are the .icc files listed in the color-profile meant to be retrieved and parsed in real time?

Yes. The "track a user" concern is identical to any resource specified in CSS, tho - in particular, images like `background-image`.  

The "malicious payload" concern is relative to whatever parsers browsers use for their ICC parsing - a broken parser is def an issue, but it's also a clear bug. I'm not sure - how severe is this kind of thing? It's part of any new file format being introduced, right?

> Are .icc files something that browsers already parse or is this a file-format that is new to them? Can these files contain any "scripts" or "code"?

New file format.

Dunno about their contents - @svgeesus?

> Can a script determine if the profile was used or if a fallback was used?

Yes. Can you elaborate on how it enables fingerprinting? The only profiles available are those predefined by the spec, and those explicitly loaded by the page. The latter aren't a fingerprinting vector - they're the same for everyone visiting the page - and the former is the generic "new features aren't supported by old browsers, and thus allow UA detection" leak intrinsic to the entire web platform.

> How would color-profiles interact with content security policy?

The interaction between CSS's resource loading and CSP is ill-defined in general right now, but I *suspect* this interacts identically to CSS image loading.

GitHub Notification of comment by tabatkins
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Monday, 28 September 2020 18:47:07 UTC