Re: css-shapes] Comments on CSS Shapes ED

Alan Stearns wrote:

 > >Also, I don't understand the security implications for alpha data. PNG
 > >images routinly has alpha channels in them and I don't see whey this
 > >is dangerous.
 > I did not understand the implications either, at first. We discussed the
 > issue in Tokyo. While you can fairly promiscuously display an image with
 > its alpha data on a web page, what you don't get is scripted access to the
 > data. For the same reason that cross-origin images can taint a Canvas such
 > that you cannot retrieve the pixel information, you should not be able to
 > use shape-outside on untrusted pages to use cross-origin images. You can
 > wrap arbitrarily-small text lines around the shape, allowing scripted
 > access to the alpha data contours. Combined with filters that map
 > arbitrary image data to the alpha channel, you'd get scripted access to
 > all of the pixel data. It's that scripted access that we need to avoid
 > exposing.

The minutes from the discussion is here:

It seems no clear consensus was reached. 

XSS is outside of my domain, but it seems we could stop leaks by
distinguishing between original alpha data and synthesized alpha data
-- and only allow wraping around original alpha data, no?

              Håkon Wium Lie                          CTO °þe®ª        

Received on Sunday, 15 September 2013 23:01:55 UTC