Re: css-shapes] Comments on CSS Shapes ED from Alan Stearns on 2013-09-16 (www-style@w3.org from September 2013)

From: Alan Stearns <stearns@adobe.com>
Date: Sun, 15 Sep 2013 21:11:49 -0700
To: Håkon Wium Lie <howcome@opera.com>
CC: "www-style@w3.org" <www-style@w3.org>
Message-ID: <CE5C4F0F.3E8A3%stearns@adobe.com>

On 9/16/13 1:01 AM, "Håkon Wium Lie" <howcome@opera.com> wrote:

>Alan Stearns wrote:
>
> > >Also, I don't understand the security implications for alpha data. PNG
> > >images routinly has alpha channels in them and I don't see whey this
> > >is dangerous.
> > 
> > I did not understand the implications either, at first. We discussed
>the
> > issue in Tokyo. While you can fairly promiscuously display an image
>with
> > its alpha data on a web page, what you don't get is scripted access to
>the
> > data. For the same reason that cross-origin images can taint a Canvas
>such
> > that you cannot retrieve the pixel information, you should not be able
>to
> > use shape-outside on untrusted pages to use cross-origin images. You
>can
> > wrap arbitrarily-small text lines around the shape, allowing scripted
> > access to the alpha data contours. Combined with filters that map
> > arbitrary image data to the alpha channel, you'd get scripted access to
> > all of the pixel data. It's that scripted access that we need to avoid
> > exposing.
>
>The minutes from the discussion is here:
>
>  http://lists.w3.org/Archives/Public/www-style/2013Jun/0680.html
>
>It seems no clear consensus was reached.

That was a related discussion with the FXTF. The minutes you want to read
through are here:

http://lists.w3.org/Archives/Public/www-style/2013Jul/0066.html

The minutes are much shorter than the actual discussion as I remember it.

---
stearns: Issue on spec on shapes from images
   stearns: Security concern of being able to determine contours of alpha
            channel of image
   TabAtkins: Could extract cross-domain info
   TabAtkins: Reasonably efficient attack, too
   plinss: Imagine image you're putting in page is bar graph of your
account
           balances of your bank
   Same-origin or CORS
   TabAtkins: Work with Anne, he'll tell you what to do correctly.
   <dbaron> annevk is working on http://fetch.spec.whatwg.org/ which makes
            these things easier to define

---

> 
>
>XSS is outside of my domain, but it seems we could stop leaks by
>distinguishing between original alpha data and synthesized alpha data
>-- and only allow wraping around original alpha data, no?

No, as I understand it, making the original alpha data available is in
itself a security leak. Images (like the account balance example mentioned
above) can encode risky information in their original alpha contours.

Thanks,

Alan

Received on Monday, 16 September 2013 04:12:27 UTC