Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165) from DavidJCobb via GitHub on 2024-02-15 (public-css-archive@w3.org from February 2024)

From: DavidJCobb via GitHub <sysbot+gh@w3.org>
Date: Thu, 15 Feb 2024 06:04:11 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-1945424924-1707977048-sysbot+gh@w3.org>

> I sketched out an example to answer this question for myself, here [...]

If exposing the intrinsic size of an image is enough to compromise an app, then that app is _already insecure_. You can contrive exceptions and edge-cases like, "Oh, but it only exposes the size of an image under this incredibly specific scenario that I hand-crafted explicitly to justify this one niche change to the spec that damages backward-compatibility," but that's equivalent to saying, "The problem isn't web developers shooting themselves in the crotch. It's that they can _aim_ at their crotch, _miss,_ and have the bullet ricochet off the floor and directly into their groin. The problem is that spot on the floor, and we should urgently get rid of it by annihilating the floor tiles there with a sledgehammer." Your example has us suppose the existence of a website that discloses image dimensions in a context where doing so is insecure, yet only discloses them in the specific ways that _this change to the spec_ would block, and not in the far more common, far more likely, and far more obvious ways that are currently treated (and will for the foreseeable future _always_ be treated) as exceptions to same-origin restrictions.

Cross-origin restrictions are a valuable principle _by default_, but it's not an _absolute_ principle that's always intrinsically correct for the web, and it can't be cited as if it is one: the web is already filled with functionality that demands exceptions to it -- many of which have already been made -- and EXIF orientation belongs with that existing functionality. Like, what I'm seeing here is that focusing purely on what's _practical_, it's _very easy_ to offer a straightforward disagreement with this change ("EXIF orientation is the same kind of data as intrinsic sizing information, which is already exposed") and it's _very hard_ to offer a straightforward agreement with this change ("What if a web developer makes a site that's insecure but only in the _exact_ ways that this otherwise nonsensical change would band-aid for them, and also what if we pretended that plain image tags are the same kind of content as scripted and interactive HTML5 canvases?").

-- 
GitHub Notification of comment by DavidJCobb
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-1945424924 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 15 February 2024 06:04:13 UTC