Re: [csswg-drafts] [css-color-4] Security: handling of color-profiles (#5552) from Chris Lilley via GitHub on 2020-09-29 (public-css-archive@w3.org from September 2020)

From: Chris Lilley via GitHub <sysbot+gh@w3.org>
Date: Tue, 29 Sep 2020 12:26:06 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-700667795-1601382365-sysbot+gh@w3.org>

Adding on to (or in one case contradicting) what Tab said:

> Are the .icc files listed in the color-profile meant to be retrieved and parsed in real time?
Yes

> If so there is a potential risk that these requests could be used to track a user or deliver a malicious payload.
Malicious payload is unlikely, the contents of an ICC profile are declarative and contain measured color information. There are no scripts in color profiles and no script execution mechanism.
They are defined by the International Color Consortium (ICC)
http://www.color.org/v4spec.xalter

> Are .icc files something that browsers already parse or is this a file-format that is new to them? 
Tab was incorrect here.
Browsers already parse them, embedded in images such as JPEG or (ore rarely) PNG.
Having the ICC files standalone and linked to the content was first introduced by SVG in 1998 and was implemented by browser plugins such as Adobe and Corel.
It is new to CSS (It was previously in CSS Color 3 but was dropped because there was only one implementation, in IE for Mac.
But browsers have been handling ICC profiles in raster images for over a decade.

> Can these files contain any "scripts" or "code"?
No, see above.

> What are the ways an implementation can mitigate any risks associated with handling this new file type?
Security bugs get reported to the ICC, which discloses them after fixes have been tested and deployed. See
http://color.org/profilesecurity.xalter
W3C is an ICC Member; I'm the W3C representative to the ICC, so I do now hear about these.

>    Can a script determine if the profile was used or if a fallback was used?
Possibly but unlikely. For example a profile could be used to swap the red and green channels, which would give a different visual result. However, browsers already have pretty good defenses to stop a script reading colors back off the screen.


-- 
GitHub Notification of comment by svgeesus
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5552#issuecomment-700667795 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 29 September 2020 12:26:08 UTC