[css-images] image-orientation:none violates same-origin policy
Categories
(Core :: Layout: Images, Video, and HTML Frames, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox107 | --- | fixed |
People
(Reporter: mozilla-apprentice, Assigned: dlrobertson)
References
Details
Attachments
(2 files)
A resolution was made for csswg-drafts/#5165.
[css-images] image-orientation:none violates same-origin policy
- RESOLVED: Do not expose orientation data for cross-origin images
Comment 1•4 years ago
|
||
Hey Cameron, it seems from the discussion there that Safari already changed. https://bugs.chromium.org/p/chromium/issues/detail?id=1110330 is underway. Shall we also close this security hole?
Comment 3•3 years ago
|
||
Per recent comments in that bug that was only for a couple releases. It's now in stable as far as I can tell. Daniel, can you take a look?
Updated•3 years ago
|
Comment 4•3 years ago
|
||
Yeah, we should take action on this.
Here's a testcase (using a random JPG that I found in stackoverflow that has a rotation encoded via its metadata, such that image-orientation:none
does something interesting):
data:text/html,<img src="https://d38daqc8ucuvuv.cloudfront.net/avatars/216/2014-02-19 17.13.48.jpg" style="image-orientation:none">
In Firefox, this image looks upside-down (i.e. we're honoring the none
value). In current Chrome and Safari, it's right-side-up (i.e. it looks the way it does if I hadn't specified image-orientation:none
), unless I set things up (e.g. using a local http server) to make the image same-origin, in which case they match Firefox.
So indeed, Blink and WebKit changed to match the resolution (ignoring none
[treating it like the default value], for cross-origin images).
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 5•3 years ago
•
|
||
Looks like 3 WPT tests exist for this:
https://wpt.fyi/results/css/css-images/image-orientation/image-orientation-none-cross-origin.html
https://wpt.fyi/results/css/css-images/image-orientation/image-orientation-none-cross-origin-svg.html
https://wpt.fyi/results/css/css-images/image-orientation/image-orientation-none-cross-origin-canvas.html
For the first one, here's the testcase/reference:
https://wpt.live/css/css-images/image-orientation/image-orientation-none-cross-origin.html
https://wpt.live/css/css-images/image-orientation/reference/image-orientation-none-cross-origin-ref.html
wpt.fyi thinks these tests "fail" in other browsers too, but I think that's just because the tests have a hardcoded fuzzy expectation (probably necessary when it was added):
<meta name=fuzzy content="10;100">
Chrome renders the testcase and reference case identically, with zero fuzzy pixels, so they "fail" for not matching the expected 100-pixels-differing like so:
0:10.65 INFO Found 0 pixels different, maximum difference per channel 0 on page 1
0:10.65 INFO Allowed 100-100 pixels different, maximum difference per channel 10-10
When we fix this, we can presumably just use those WPT tests, but we'll want to be sure to update the tests' baked-in metadata so that the fuzzy allowances aren't so strictly requiring an exact number of mismatching pixels.
Assignee | ||
Comment 6•2 years ago
|
||
A cross origin image request should not respect the given style image
orientation, but should use any image orientation provided by the image.
Updated•2 years ago
|
Assignee | ||
Comment 7•2 years ago
|
||
The implementation of GetURI always returns NS_OK, and therefore the URI can
be marked as infallible.
Pushed by drobertson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/052c6f05c623 The imgIRequest uri attribute should be infallible. r=emilio https://hg.mozilla.org/integration/autoland/rev/9eb3b3e7295b Cross origin image request should not respect image orientation. r=emilio
Comment 9•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/052c6f05c623
https://hg.mozilla.org/mozilla-central/rev/9eb3b3e7295b
Comment 10•2 years ago
|
||
Backout by abutkovits@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/170f356185eb Backed out 2 changesets for causing Bug 1792435. a=backout
Updated•2 years ago
|
Comment 11•2 years ago
|
||
Pushed by drobertson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9fc8edef93c3 The imgIRequest uri attribute should be infallible. r=emilio https://hg.mozilla.org/integration/autoland/rev/aa5e6cdcbdc7 Cross origin image request should not respect image orientation. r=emilio
Comment 12•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/9fc8edef93c3
https://hg.mozilla.org/mozilla-central/rev/aa5e6cdcbdc7
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/36183 for changes under testing/web-platform/tests
Upstream PR merged by moz-wptsync-bot
Description
•