Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165) from Eric Portis via GitHub on 2024-02-14 (public-css-archive@w3.org from February 2024)

From: Eric Portis via GitHub <sysbot+gh@w3.org>
Date: Wed, 14 Feb 2024 20:54:19 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-1944574393-1707944051-sysbot+gh@w3.org>

@DavidJCobb 

> How are intermediate-to-advanced HTML5 canvas shenanigans and scripted interactivity regarded as being on the same level as a bog-standard <img> tag?

Because exploits will take advantage of *anything that's possible*, and we should have ~zero-tolerance for creating new avenues for user harm. I sketched out an example to answer this question for myself, here:

> Let’s say there’s an image URL – https://coolbank.com/hero.jpg, that happens to return a different resource depending on whether or not a user is currently logged in at coolbank.com.

— https://css-tricks.com/i-learned-to-love-the-same-origin-policy/

-- 
GitHub Notification of comment by eeeps
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-1944574393 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 14 February 2024 20:54:22 UTC