- From: Håkon Wium Lie <howcome@opera.com>
- Date: Mon, 16 Sep 2013 01:01:22 +0200
- To: Alan Stearns <stearns@adobe.com>
- Cc: "www-style\@w3.org" <www-style@w3.org>
Alan Stearns wrote: > >Also, I don't understand the security implications for alpha data. PNG > >images routinly has alpha channels in them and I don't see whey this > >is dangerous. > > I did not understand the implications either, at first. We discussed the > issue in Tokyo. While you can fairly promiscuously display an image with > its alpha data on a web page, what you don't get is scripted access to the > data. For the same reason that cross-origin images can taint a Canvas such > that you cannot retrieve the pixel information, you should not be able to > use shape-outside on untrusted pages to use cross-origin images. You can > wrap arbitrarily-small text lines around the shape, allowing scripted > access to the alpha data contours. Combined with filters that map > arbitrary image data to the alpha channel, you'd get scripted access to > all of the pixel data. It's that scripted access that we need to avoid > exposing. The minutes from the discussion is here: http://lists.w3.org/Archives/Public/www-style/2013Jun/0680.html It seems no clear consensus was reached. XSS is outside of my domain, but it seems we could stop leaks by distinguishing between original alpha data and synthesized alpha data -- and only allow wraping around original alpha data, no? -h&kon Håkon Wium Lie CTO °þe®ª howcome@opera.com http://people.opera.com/howcome
Received on Sunday, 15 September 2013 23:01:55 UTC