Re: [csswg-drafts] [css-images] image-orientation:none violates same-origin policy (#5165) from Noam Rosenthal via GitHub on 2024-02-15 (public-css-archive@w3.org from February 2024)

From: Noam Rosenthal via GitHub <sysbot+gh@w3.org>
Date: Thu, 15 Feb 2024 15:23:48 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-1946316289-1708010625-sysbot+gh@w3.org>

Coming back from this after a few yeats - one same-origin policy violation (image dimensions) cannot justify another (orientation).

Because the former has been around for decades, authors had years to protect against this and be aware that image dimensions are something that's exposed to browsers and that's life. We have to be rigorous about not allowing new leaks because there is lots of content out there that is not protected against them.

Really the focus should go towards reducing the usage of no-cors in the web and moving towards CORS, even in CSS.
I've recently updated the CSS spec (https://drafts.csswg.org/css-values-5/#request-url-modifiers) to allow CORS images, however that's not implemented in browsers. I think implementing that would be a step forwards to actually resolving this in a holistic manner.


-- 
GitHub Notification of comment by noamr
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5165#issuecomment-1946316289 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 15 February 2024 15:23:50 UTC