[css-images] image-orientation:none violates same-origin policy
Categories
(Core :: Layout: Images, Video, and HTML Frames, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox107 | --- | fixed |
People
(Reporter: mozilla-apprentice, Assigned: dlrobertson)
References
Details
Attachments
(2 files)
A resolution was made for csswg-drafts/#5165.
[css-images] image-orientation:none violates same-origin policy
- RESOLVED: Do not expose orientation data for cross-origin images
|
||
Comment 1•5 years ago
|
||
Hey Cameron, it seems from the discussion there that Safari already changed. https://bugs.chromium.org/p/chromium/issues/detail?id=1110330 is underway. Shall we also close this security hole?
|
|
||
Comment 3•4 years ago
|
||
Per recent comments in that bug that was only for a couple releases. It's now in stable as far as I can tell. Daniel, can you take a look?
|
||
Updated•4 years ago
|
|
|
||
Comment 4•4 years ago
|
||
Yeah, we should take action on this.
Here's a testcase (using a random JPG that I found in stackoverflow that has a rotation encoded via its metadata, such that image-orientation:none does something interesting):
data:text/html,<img src="https://d38daqc8ucuvuv.cloudfront.net/avatars/216/2014-02-19 17.13.48.jpg" style="image-orientation:none">
In Firefox, this image looks upside-down (i.e. we're honoring the none value). In current Chrome and Safari, it's right-side-up (i.e. it looks the way it does if I hadn't specified image-orientation:none), unless I set things up (e.g. using a local http server) to make the image same-origin, in which case they match Firefox.
So indeed, Blink and WebKit changed to match the resolution (ignoring none [treating it like the default value], for cross-origin images).
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Comment 5•4 years ago
•
|
||
Looks like 3 WPT tests exist for this:
https://wpt.fyi/results/css/css-images/image-orientation/image-orientation-none-cross-origin.html
https://wpt.fyi/results/css/css-images/image-orientation/image-orientation-none-cross-origin-svg.html
https://wpt.fyi/results/css/css-images/image-orientation/image-orientation-none-cross-origin-canvas.html
For the first one, here's the testcase/reference:
https://wpt.live/css/css-images/image-orientation/image-orientation-none-cross-origin.html
https://wpt.live/css/css-images/image-orientation/reference/image-orientation-none-cross-origin-ref.html
wpt.fyi thinks these tests "fail" in other browsers too, but I think that's just because the tests have a hardcoded fuzzy expectation (probably necessary when it was added):
<meta name=fuzzy content="10;100">
Chrome renders the testcase and reference case identically, with zero fuzzy pixels, so they "fail" for not matching the expected 100-pixels-differing like so:
0:10.65 INFO Found 0 pixels different, maximum difference per channel 0 on page 1
0:10.65 INFO Allowed 100-100 pixels different, maximum difference per channel 10-10
When we fix this, we can presumably just use those WPT tests, but we'll want to be sure to update the tests' baked-in metadata so that the fuzzy allowances aren't so strictly requiring an exact number of mismatching pixels.
|
Assignee | |
Comment 6•3 years ago
|
||
A cross origin image request should not respect the given style image
orientation, but should use any image orientation provided by the image.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 7•3 years ago
|
||
The implementation of GetURI always returns NS_OK, and therefore the URI can
be marked as infallible.
|
||
Comment 9•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/052c6f05c623
https://hg.mozilla.org/mozilla-central/rev/9eb3b3e7295b
|
||
Comment 10•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
||
Comment 11•3 years ago
|
||
|
|
||
Comment 12•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/9fc8edef93c3
https://hg.mozilla.org/mozilla-central/rev/aa5e6cdcbdc7
Description
•