Closed Bug 1655598 Opened 3 years ago Closed 4 months ago

[css-images] image-orientation:none violates same-origin policy

Categories

(Core :: Layout: Images, Video, and HTML Frames, defect)

defect

Tracking

()

RESOLVED FIXED
107 Branch
Tracking Status
firefox107 --- fixed

People

(Reporter: mozilla-apprentice, Assigned: dlrobertson)

References

Details

Attachments

(2 files)

A resolution was made for csswg-drafts/#5165.

[css-images] image-orientation:none violates same-origin policy

  • RESOLVED: Do not expose orientation data for cross-origin images

Discussion.

Hey Cameron, it seems from the discussion there that Safari already changed. https://bugs.chromium.org/p/chromium/issues/detail?id=1110330 is underway. Shall we also close this security hole?

Flags: needinfo?(cam)

Looks like the Chromium bug was backed out.

Flags: needinfo?(cam)

Per recent comments in that bug that was only for a couple releases. It's now in stable as far as I can tell. Daniel, can you take a look?

Flags: needinfo?(dholbert)
Component: Layout → Layout: Images, Video, and HTML Frames

Yeah, we should take action on this.

Here's a testcase (using a random JPG that I found in stackoverflow that has a rotation encoded via its metadata, such that image-orientation:none does something interesting):

data:text/html,<img src="https://d38daqc8ucuvuv.cloudfront.net/avatars/216/2014-02-19 17.13.48.jpg" style="image-orientation:none">

In Firefox, this image looks upside-down (i.e. we're honoring the none value). In current Chrome and Safari, it's right-side-up (i.e. it looks the way it does if I hadn't specified image-orientation:none), unless I set things up (e.g. using a local http server) to make the image same-origin, in which case they match Firefox.

So indeed, Blink and WebKit changed to match the resolution (ignoring none [treating it like the default value], for cross-origin images).

Flags: needinfo?(dholbert)
Severity: S3 → S2

Looks like 3 WPT tests exist for this:
https://wpt.fyi/results/css/css-images/image-orientation/image-orientation-none-cross-origin.html
https://wpt.fyi/results/css/css-images/image-orientation/image-orientation-none-cross-origin-svg.html
https://wpt.fyi/results/css/css-images/image-orientation/image-orientation-none-cross-origin-canvas.html

For the first one, here's the testcase/reference:
https://wpt.live/css/css-images/image-orientation/image-orientation-none-cross-origin.html
https://wpt.live/css/css-images/image-orientation/reference/image-orientation-none-cross-origin-ref.html

wpt.fyi thinks these tests "fail" in other browsers too, but I think that's just because the tests have a hardcoded fuzzy expectation (probably necessary when it was added):

<meta name=fuzzy content="10;100">

Chrome renders the testcase and reference case identically, with zero fuzzy pixels, so they "fail" for not matching the expected 100-pixels-differing like so:

 0:10.65 INFO Found 0 pixels different, maximum difference per channel 0 on page 1
 0:10.65 INFO Allowed 100-100 pixels different, maximum difference per channel 10-10

When we fix this, we can presumably just use those WPT tests, but we'll want to be sure to update the tests' baked-in metadata so that the fuzzy allowances aren't so strictly requiring an exact number of mismatching pixels.

A cross origin image request should not respect the given style image
orientation, but should use any image orientation provided by the image.

Assignee: nobody → drobertson
Status: NEW → ASSIGNED

The implementation of GetURI always returns NS_OK, and therefore the URI can
be marked as infallible.

Pushed by drobertson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/052c6f05c623
The imgIRequest uri attribute should be infallible. r=emilio
https://hg.mozilla.org/integration/autoland/rev/9eb3b3e7295b
Cross origin image request should not respect image orientation. r=emilio
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch
Regressions: 1792435
Backout by abutkovits@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/170f356185eb
Backed out 2 changesets for causing Bug 1792435. a=backout
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 107 Branch → ---
Pushed by drobertson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9fc8edef93c3
The imgIRequest uri attribute should be infallible. r=emilio
https://hg.mozilla.org/integration/autoland/rev/aa5e6cdcbdc7
Cross origin image request should not respect image orientation. r=emilio
Status: REOPENED → RESOLVED
Closed: 5 months ago4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/36183 for changes under testing/web-platform/tests
Upstream PR merged by moz-wptsync-bot
Regressions: 1804583
You need to log in before you can comment on or make changes to this bug.