W3C home > Mailing lists > Public > www-style@w3.org > September 2013

Re: css-shapes] Comments on CSS Shapes ED

From: Håkon Wium Lie <howcome@opera.com>
Date: Mon, 16 Sep 2013 01:01:22 +0200
Message-ID: <21046.15426.204277.727163@gargle.gargle.HOWL>
To: Alan Stearns <stearns@adobe.com>
Cc: "www-style\@w3.org" <www-style@w3.org>
Alan Stearns wrote:

 > >Also, I don't understand the security implications for alpha data. PNG
 > >images routinly has alpha channels in them and I don't see whey this
 > >is dangerous.
 > I did not understand the implications either, at first. We discussed the
 > issue in Tokyo. While you can fairly promiscuously display an image with
 > its alpha data on a web page, what you don't get is scripted access to the
 > data. For the same reason that cross-origin images can taint a Canvas such
 > that you cannot retrieve the pixel information, you should not be able to
 > use shape-outside on untrusted pages to use cross-origin images. You can
 > wrap arbitrarily-small text lines around the shape, allowing scripted
 > access to the alpha data contours. Combined with filters that map
 > arbitrary image data to the alpha channel, you'd get scripted access to
 > all of the pixel data. It's that scripted access that we need to avoid
 > exposing.

The minutes from the discussion is here:


It seems no clear consensus was reached. 

XSS is outside of my domain, but it seems we could stop leaks by
distinguishing between original alpha data and synthesized alpha data
-- and only allow wraping around original alpha data, no?

              Håkon Wium Lie                          CTO °þe®ª
howcome@opera.com                  http://people.opera.com/howcome
Received on Sunday, 15 September 2013 23:01:55 UTC

This archive was generated by hypermail 2.4.0 : Monday, 23 January 2023 02:14:32 UTC