- From: Alan Stearns <stearns@adobe.com>
- Date: Sun, 15 Sep 2013 21:11:49 -0700
- To: Håkon Wium Lie <howcome@opera.com>
- CC: "www-style@w3.org" <www-style@w3.org>
On 9/16/13 1:01 AM, "Håkon Wium Lie" <howcome@opera.com> wrote: >Alan Stearns wrote: > > > >Also, I don't understand the security implications for alpha data. PNG > > >images routinly has alpha channels in them and I don't see whey this > > >is dangerous. > > > > I did not understand the implications either, at first. We discussed >the > > issue in Tokyo. While you can fairly promiscuously display an image >with > > its alpha data on a web page, what you don't get is scripted access to >the > > data. For the same reason that cross-origin images can taint a Canvas >such > > that you cannot retrieve the pixel information, you should not be able >to > > use shape-outside on untrusted pages to use cross-origin images. You >can > > wrap arbitrarily-small text lines around the shape, allowing scripted > > access to the alpha data contours. Combined with filters that map > > arbitrary image data to the alpha channel, you'd get scripted access to > > all of the pixel data. It's that scripted access that we need to avoid > > exposing. > >The minutes from the discussion is here: > > http://lists.w3.org/Archives/Public/www-style/2013Jun/0680.html > >It seems no clear consensus was reached. That was a related discussion with the FXTF. The minutes you want to read through are here: http://lists.w3.org/Archives/Public/www-style/2013Jul/0066.html The minutes are much shorter than the actual discussion as I remember it. --- stearns: Issue on spec on shapes from images stearns: Security concern of being able to determine contours of alpha channel of image TabAtkins: Could extract cross-domain info TabAtkins: Reasonably efficient attack, too plinss: Imagine image you're putting in page is bar graph of your account balances of your bank Same-origin or CORS TabAtkins: Work with Anne, he'll tell you what to do correctly. <dbaron> annevk is working on http://fetch.spec.whatwg.org/ which makes these things easier to define --- > > >XSS is outside of my domain, but it seems we could stop leaks by >distinguishing between original alpha data and synthesized alpha data >-- and only allow wraping around original alpha data, no? No, as I understand it, making the original alpha data available is in itself a security leak. Images (like the account balance example mentioned above) can encode risky information in their original alpha contours. Thanks, Alan
Received on Monday, 16 September 2013 04:12:27 UTC