Visibility/Testability of policy interventions

[triblondon]

Multiple (all image-related) policies appear to suffer from an inability to detect, in JavaScript, that the policy has taken effect (the existence of the reporting API for FP is acknowledged but not relevant here).

Affected policies, and demos which I can't write tests for are:

• oversized-images https://featurepolicy.info/policies/oversized-images
• unoptimized-images https://featurepolicy.info/policies/unoptimized-images
• legacy-image-formats https://featurepolicy.info/policies/legacy-image-formats

I tried diffing every property of the HTMLImageElement, all the way up the chain, and there is no difference when the image is within policy vs when it is not. I also found that the load event is fired regardless of any policy violation.

Finally, I tried using the image as an input to a canvas and then sampling the canvas. This produces the original image, regardless of whether the image tag version has been suppressed due to the policy violation. This is actually quite worrying as it gives developers a (really awful) way to route around the policy.

[clelland]

the existence of the reporting API for FP is acknowledged but not relevant here

Are you able to intercept reports in JavaScript for individual images? I think that Chrome is sending such reports to any registered reporting observers (@loonybear would know for sure)

Finally, I tried using the image as an input to a canvas and then sampling the canvas. This produces the original image, regardless of whether the image tag version has been suppressed due to the policy violation. This is actually quite worrying as it gives developers a (really awful) way to route around the policy.

That sounds like an implementation bug -- can you file one at https://crbug.com? The image data shouldn't be available; we aren't even guaranteeing that the entire image was downloaded at that point.

[triblondon]

Ah, I hadn't considered using a reportingobserver to see the violation in JS. Will do and report back.

Re the canvas, I wasn't sure what the intended behaviour was here, to be honest, but I can put my test case back together and submit a bug.

[loonybear]

Which chrome version are you testing this on? You should also be observing console errors when image policy is violated. There are web-platform-tests for reporting which you can use as a template for your own tests.

Re"I tried diffing every property of the HTMLImageElement, all the way up the chain, and there is no difference when the image is within policy vs when it is not." This seems weird to me, images should be rendered as placeholder. I would like to verify that you have the flag Experimental Web Platform features enabled?

[triblondon]

Which chrome version are you testing this on?

74

There are web-platform-tests for reporting which you can use as a template for your own tests.

Ooooh, these are new! Thanks.

Re"I tried diffing every property of the HTMLImageElement, all the way up the chain, and there is no difference when the image is within policy vs when it is not." This seems weird to me, images should be rendered as placeholder. I would like to verify that you have the flag Experimental Web Platform features enabled?

I do, and the image does indeed render as a placeholder. I just can't detect that from script.