W3C home > Mailing lists > Public > www-style@w3.org > September 2013

Re: css-shapes] Comments on CSS Shapes ED

From: Alan Stearns <stearns@adobe.com>
Date: Sun, 15 Sep 2013 21:11:49 -0700
To: Håkon Wium Lie <howcome@opera.com>
CC: "www-style@w3.org" <www-style@w3.org>
Message-ID: <CE5C4F0F.3E8A3%stearns@adobe.com>
On 9/16/13 1:01 AM, "Håkon Wium Lie" <howcome@opera.com> wrote:

>Alan Stearns wrote:
> > >Also, I don't understand the security implications for alpha data. PNG
> > >images routinly has alpha channels in them and I don't see whey this
> > >is dangerous.
> > 
> > I did not understand the implications either, at first. We discussed
> > issue in Tokyo. While you can fairly promiscuously display an image
> > its alpha data on a web page, what you don't get is scripted access to
> > data. For the same reason that cross-origin images can taint a Canvas
> > that you cannot retrieve the pixel information, you should not be able
> > use shape-outside on untrusted pages to use cross-origin images. You
> > wrap arbitrarily-small text lines around the shape, allowing scripted
> > access to the alpha data contours. Combined with filters that map
> > arbitrary image data to the alpha channel, you'd get scripted access to
> > all of the pixel data. It's that scripted access that we need to avoid
> > exposing.
>The minutes from the discussion is here:
>  http://lists.w3.org/Archives/Public/www-style/2013Jun/0680.html
>It seems no clear consensus was reached.

That was a related discussion with the FXTF. The minutes you want to read
through are here:


The minutes are much shorter than the actual discussion as I remember it.

stearns: Issue on spec on shapes from images
   stearns: Security concern of being able to determine contours of alpha
            channel of image
   TabAtkins: Could extract cross-domain info
   TabAtkins: Reasonably efficient attack, too
   plinss: Imagine image you're putting in page is bar graph of your
           balances of your bank
   Same-origin or CORS
   TabAtkins: Work with Anne, he'll tell you what to do correctly.
   <dbaron> annevk is working on http://fetch.spec.whatwg.org/ which makes
            these things easier to define


>XSS is outside of my domain, but it seems we could stop leaks by
>distinguishing between original alpha data and synthesized alpha data
>-- and only allow wraping around original alpha data, no?

No, as I understand it, making the original alpha data available is in
itself a security leak. Images (like the account balance example mentioned
above) can encode risky information in their original alpha contours.


Received on Monday, 16 September 2013 04:12:27 UTC

This archive was generated by hypermail 2.4.0 : Monday, 23 January 2023 02:14:32 UTC