annevk
commented
3 years ago cc @tabatkins
Open annevk opened 3 years ago
annevk
commented
3 years ago cc @tabatkins
noamr
commented
3 years ago See https://drafts.csswg.org/css-color-4/#at-profile CC @svgeesus
mikewest
commented
3 years ago While I think we probably need to start over with regard to exfiltration mitigation to have anything like a justifiable system, it seems reasonable that CSP would need to deal with these resources in some way. default-src should certainly cover them, and I could imagine wrapping them up in style-src (given my very uninformed understanding of the way they interact with pages, it seems unlikely that they'll be used outside the context of a style declaration, and it doesn't seem likely they create a different kind of risk than stylesheets?). I don't think that creating something like a colorprofile-src declaration would be useful.
noamr
commented
3 years ago While I think we probably need to start over with regard to exfiltration mitigation to have anything like a justifiable system, it seems reasonable that CSP would need to deal with these resources in some way.
default-srcshould certainly cover them, and I could imagine wrapping them up instyle-src(given my very uninformed understanding of the way they interact with pages, it seems unlikely that they'll be used outside the context of a style declaration, and it doesn't seem likely they create a different kind of risk than stylesheets?). I don't think that creating something like acolorprofile-srcdeclaration would be useful.
|I think it makes sense that color profiles would be equivalent to styles in terms of CSP, as color profiles are in a way "extensions" to style, a kind of like a style import.
svgeesus
commented
3 years ago it seems unlikely that they'll be used outside the context of a style declaration, and it doesn't seem likely they create a different kind of risk than stylesheets?)
Yes, color profiles fetched as an external resource only affect colors in the stylesheets that linked to and use them. They are separate from, and don't interact with, profiles embeded in raster images, for example.
ICC profiles do not contain executable code (in V2 and v4) and contain a very limited type of code in v5 (the calculator element, which executes a stack-based computation that lacks looping)
For more details, see: [css-color-4] Security: handling of color-profiles
noamr
commented
3 years ago I read
it seems unlikely that they'll be used outside the context of a style declaration, and it doesn't seem likely they create a different kind of risk than stylesheets?)
Yes, color profiles fetched as an external resource only affect colors in the stylesheets that linked to and use them. They are separate from, and don't interact with, profiles embeded in raster images, for example.
ICC profiles do not contain executable code (in V2 and v4) and contain a very limited type of code in v5 (the calculator element, which executes a stack-based computation that lacks looping)
For more details, see: [css-color-4] Security: handling of color-profiles
I read this and I'm missing a data point: can internal values from the color profile be detected (using a script, getComputedStyle or so) by the caller? If so, its CORS should be "anonymous" (same as fonts/shapes, as they affect layout which is JS-detectable), and if not, it should be "opaque" (same as background images).
annevk
commented
3 years ago We agreed a while ago to not fetch new resource types without CORS.
mikewest
commented
3 years ago Ok, from the above, I think the CSP story is pretty clear for v2 and v4 profiles: they can be controlled by style-src by adding the colorprofile destination to the list of destinations controlled by that directive. I'd be happy to review a PR to that effect (along with tests :) ).
That said, I'm a little scared about the risk of code execution in v5. That possibility feels different in kind, but I'm a bit confused about the capability: https://github.com/w3c/csswg-drafts/issues/5552#issuecomment-713860492 closed out that review issue, noting that "Okay so for the security & privacy appendix I added a note that ICC profiles are downloaded on demand and do not contain executable code." Is that no longer the case? /cc @svgeesus
In https://github.com/whatwg/fetch/issues/1324 @noamr reminded me that external color profiles are (about to be?) a thing. I'm not sure what this means for CSP.
Fonts were apparently big enough to get their own
font-src, but is that also true for color profiles?Should we have a new
x-srcthat covers non-script/non-style things?Or have we completely stopped caring about this and will just let
default-srchandle it?