From Alex Chiculita:
CSS exclusions shapes extracted from images have security issues that we need to address in the spec. The leak is pretty easy to demonstrate, you just need to reference an image from a remote domain as the exclusion shape and set the line-height of the content to 1px. If enough text content is provided, the bounding rectangles of the lines of text can be used to reconstruct the original image. The image created using this technique has just 2 colors (black & white), but the threshold can be used to obtain multiple snapshots, so grayscale representations can be extrapolated. I think CORS can save us with this one, too.
*** Bug 16717 has been marked as a duplicate of this bug. ***
Comment from Vincent from 16717:
The use of images as exclusion areas, especially when combined with the
shape-image-threshold property are a security concerns because through script,
malicious code could analyze the content of a cross domain image.
For example, if the attacker uses 1px x 1px inline elements around and inside
an image exclusion and uses script to find the position of the element,
information about the image will be leaked and will allow reconstruction of a
grayscale version of the image.
Locked down shapes-from-images to CORS-same-origin for now. Still need to add in a way to loosen this.
Added a requirement to use (potentially) CORS-enabled fetch for all URLs in a shape-outside value.