[css-images] image-orientation:none violates same-origin policy

[annevk]

As I realized in https://github.com/whatwg/html/pull/5603, this leaks an additional bit of information for opaque responses.

cc @heycam

[philcunliffe]

While I'm glad a decision was made so the uncertainty is gone, I really disagree with the direction.

I agree that from a security standpoint it's unfortunate that cross-origin images are allowed at all but given that they are it's important that they can be used properly. This middle ground approach where some metadata (width and height) is available and others like orientation are not only serves to subtlety break people in difficult to understand ways because the rules are not consistent. Holding the line on orientation alone doesn't isn't win for either paradigm, all it does is make cross-origin images more difficult to use.

[annevk]

They already are more difficult to use, if you don't use CORS to fetch them you cannot paint them on canvas and then read from that canvas, for instance. If you want to make full use of a cross-origin image, use CORS.

[noamr]

This middle ground approach where some metadata (width and height) is available and others like orientation are not...

It's not a middle ground. It's as strict as we can make it, considering the unfortunate situation where exposing width/height for cross-origin images is something that is probably too late to backtrack.

[annevk]

https://bugzilla.mozilla.org/show_bug.cgi?id=1655598 tracks this for Firefox.

[JiaboHu]

I guess what we could do is that we take the orientation into account for decoding purposes, but don't store it as a field on the resulting image if it was generated from an opaque response. So it appears rotated, but if you query its metadata it'll return the default orientation values.

Such a big change deserves a big announcement, at least an online conference on youtube to give developers enough time to understand and update their apps.

[mzur]

I am the maintainer of an image annotation web application and in a similar position than @philcunliffe (only that I wasn't aware of this before it was implemented). Now I'm caught cold with the implementation in Chromium which totally breaks our application without any way to implement backwards compatibility. We already went to great lengths to ensure backwards compatibility with the previous breaking change of always respecting the EXIF orientation (I also commented on that here but nobody seems to be interested there anymore).

I realize that it's probably too late and the discussion is already over but I wanted to leave a note that the previous decision to apply EXIF rotation by default and now this decision are huge breaking changes for some of us. Sorry for the rant, I'm just a little frustrated.

[dlrobertson]

Just a note: When fixing this in Gecko with bug 1655598, it was not clear to me that this should use cors-same-origin. This was later found and fixed in bug 1822116, but it might be nice if it was explicitly stated that cors-same-origin should be used.

[annevk]

@dlrobertson FWIW, the discussion above talks about "opaque responses". You don't get an opaque response when using CORS. You either get a non-opaque response or a network error.

[dlrobertson]

@annevk makes sense. Thanks for the clarification!

[DavidJCobb]

In the context of image dimensions already leaking across origins, making image-orientation require CORS comes across as security theater, not as an actual mitigation of a real threat. Is there any informational aspect to orientation, any meaning that it could possibly ever have, besides the presence or absence of a swap operation on two pieces of information (width and height) that everyone is already allowed to read?

They already are more difficult to use, if you don't use CORS to fetch them you cannot paint them on canvas and then read from that canvas, for instance. If you want to make full use of a cross-origin image, use CORS.

In what world is this use case even remotely comparable to simply placing an image in a document with the expectation that you can ensure it displays properly for your use case? How are intermediate-to-advanced HTML5 canvas shenanigans and scripted interactivity regarded as being on the same level as a bog-standard <img> tag?

[eeeps]

@DavidJCobb

How are intermediate-to-advanced HTML5 canvas shenanigans and scripted interactivity regarded as being on the same level as a bog-standard <img> tag?

Because exploits will take advantage of anything that's possible, and we should have ~zero-tolerance for creating new avenues for user harm. I sketched out an example to answer this question for myself, here:

Let’s say there’s an image URL – https://coolbank.com/hero.jpg, that happens to return a different resource depending on whether or not a user is currently logged in at coolbank.com.

— https://css-tricks.com/i-learned-to-love-the-same-origin-policy/

[philcunliffe]

I've had a couple years to debrief on this now and while I still could argue that "embedding instructions" don't belong in the same bucket as other much more sensitive EXIF data I think the solution is mostly fine.

As someone who was hit hard by this change my one wish would be that the W3C and big browsers treat breaking changes with more respect. The decisions of this group directly affect the largest application platform in the world.

The fact that many developers were caught completely off guard by a breaking change (with no option for backwards compatibility) to the worlds largest application platform seems like a process failure somewhere. In the image annotation industry alone this decision cost a lot of real peoples jobs and changed the flow of tens of millions of dollars at a minimum.

I'm guessing people in this body will say that this is entirely the browsers responsibility during implementation but there's an inescapable human element to these decisions now given the scale. Maybe the W3C should give guidelines for a time delay and warning mechanisms when a breaking decision is made? Even a simple console message when the image-orientation rule was present for 6 months before the change was actually made would have made a big difference.

[DavidJCobb]

I sketched out an example to answer this question for myself, here [...]

If exposing the intrinsic size of an image is enough to compromise an app, then that app is already insecure. Your example has us suppose the existence of a website that discloses image dimensions in a context where doing so is insecure, yet only discloses them in the specific ways that this change to the spec would block, and not in the very closely related, far more common, far more likely, and far more obvious ways that are currently treated (and will for the foreseeable future always be treated) as exceptions to same-origin restrictions.

You can contrive exceptions and edge-cases like, "Oh, but it only exposes the size of an image under this incredibly specific scenario that I hand-crafted explicitly to justify this one niche change to the spec that damages backward-compatibility," but that's equivalent to saying, "The problem isn't web developers shooting themselves in the leg. It's that they can aim at their leg, miss, and have the bullet ricochet off the floor and directly into their leg. The problem is that spot on the floor, and we should urgently get rid of it by annihilating the floor tiles there with a sledgehammer."

Cross-origin restrictions are a valuable principle by default, but it's not an absolute principle that's always intrinsically correct for the web, and it can't be cited as if it is one: the web is already filled with functionality that demands exceptions to it -- like being able to embed images across origins without setting up CORS -- and EXIF orientation belongs with that existing functionality. Like, what I'm seeing here is that focusing purely on what's practical, it's very easy to offer a straightforward disagreement with this change ("EXIF orientation is the same kind of data as intrinsic sizing information, which is already exposed") and it's very hard to offer a straightforward agreement with this change ("What if a web developer makes a site that's insecure but only in the exact ways that this otherwise nonsensical and inconsistent-with-everything-around-it change would band-aid for them, and also, what if we pretended that plain image tags are the same kind of content as scripted and interactive HTML5 canvases?").

This is security theater.

[eeeps]

I suppose I am more absolute, because it makes the security model of the web 1) stronger 2) easier to reason about. Web developers and users don't have to worry about this entire class of security problems if the platform can take care of it for them. My take is more like "unauthorized cross-origin reads of any kind should have never been allowed, and we certainly shouldn't open up new ones." Intrinsic sizing being exposed was, in hindsight, a mistake, and there are active efforts to fix it (although this is a very hard thing to do in a web compatible manner). In your foot-gunning metaphor, I wouldn't say I'm for "annihilating the floor", but I am for comprehensive gun control, and wish we'd had it thirty years ago.

[noamr]

Coming back from this after a few yeats - one same-origin policy violation (image dimensions) cannot justify another (orientation).

Because the former has been around for decades, authors had years to protect against this and be aware that image dimensions are something that's exposed to browsers and that's life. We have to be rigorous about not allowing new leaks because there is lots of content out there that is not protected against them.

Really the focus should go towards reducing the usage of no-cors in the web and moving towards CORS, even in CSS. I've recently updated the CSS spec (https://drafts.csswg.org/css-values-5/#request-url-modifiers) to allow CORS images, however that's not implemented in browsers. I think implementing that would be a step forwards to actually resolving this in a holistic manner.

[yoavweiss]

I'd even vote for a Document Policy that forces all subresources to be loaded with e.g. implicit crossorigin attributes. That would enable developers to always load their images CORS enabled and not worry about any of this.

[noamr]

I'd even vote for a Document Policy that forces all subresources to be loaded with e.g. implicit crossorigin attributes. That would enable developers to always load their images CORS enabled and not worry about any of this.

Yea I think we would need both, because some pages reference existing images that might not be CORS-enabled.

[philcunliffe]

@yoavweiss @noamr

Where would be the right spot to open an issue about breaking change guidelines? I believe it fits under the mission statement for W3C to develop a standard operating procedure.

[noamr]

@yoavweiss @noamr

Where would be the right spot to open an issue about breaking change guidelines? I believe it fits under the mission statement for W3C to develop a standard operating procedure.

Perhaps @jyasskin can advise here.

[jyasskin]

I don't have a good answer for you. Back in the day, there were documents like https://www.w3.org/TR/qaframe-spec/ that specified how to write specifications, but I don't think we have that sort of meta-WG right now in any of the standards bodies I follow. Instead, we have statements like https://whatwg.org/working-mode#removals that defer to implementer opinions, and https://www.chromium.org/blink/launching-features/#feature-deprecations that governs how Chrome in particular makes this sort of decision. The AB might be an appropriate body to think about this at the W3C-wide level, since they have an Incubation activity considering the other end of the pipeline. You can suggest they look at breaking changes by filing an issue in https://github.com/w3c/AB-public/issues. The CSSWG could also create an opinion for itself, but that wouldn't advise any other WGs.