Bug 16112 - Address security concern with automatic shape extractions for images
Summary: Address security concern with automatic shape extractions for images
Alias: None
Product: CSS
Classification: Unclassified
Component: Shapes (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: ---
Assignee: Alan Stearns
QA Contact: public-css-bugzilla
: 16717 (view as bug list)
Depends on:
Reported: 2012-02-24 18:34 UTC by Vincent Hardy
Modified: 2013-07-19 21:39 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Hardy 2012-02-24 18:34:37 UTC
From Alex Chiculita:

CSS exclusions shapes extracted from images have security issues that we need to address in the spec. The leak is pretty easy to demonstrate, you just need to reference an image from a remote domain as the exclusion shape and set the line-height of the content to 1px. If enough text content is provided, the bounding rectangles of the lines of text can be used to reconstruct the original image. The image created using this technique has just 2 colors (black & white), but the threshold can be used to obtain multiple snapshots, so grayscale representations can be extrapolated.  I think CORS can save us with this one, too.
Comment 1 Alan Stearns 2012-04-25 22:21:53 UTC
*** Bug 16717 has been marked as a duplicate of this bug. ***
Comment 2 Alan Stearns 2012-04-25 22:22:46 UTC
Comment from Vincent from 16717:

The use of images as exclusion areas, especially when combined with the
shape-image-threshold property are a security concerns because through script,
malicious code could analyze the content of a cross domain image.

For example, if the attacker uses 1px x 1px inline elements around and inside
an image exclusion and uses script to find the position of the element,
information about the image will be leaked and will allow reconstruction of a
grayscale version of the image.
Comment 3 Alan Stearns 2013-06-20 21:34:51 UTC
Locked down shapes-from-images to CORS-same-origin for now. Still need to add in a way to loosen this.
Comment 4 Alan Stearns 2013-07-19 21:39:11 UTC
Added a requirement to use (potentially) CORS-enabled fetch for all URLs in a shape-outside value.