Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is HTMLImgElement.decode() a cross-origin info channel? #8709

Open
noamr opened this issue Jan 11, 2023 · 3 comments
Open

Is HTMLImgElement.decode() a cross-origin info channel? #8709

noamr opened this issue Jan 11, 2023 · 3 comments
Labels
security/privacy There are security or privacy implications topic: img

Comments

@noamr
Copy link
Collaborator

noamr commented Jan 11, 2023

See w3c/largest-contentful-paint#111 (comment)

IMG decode() returns a promise that resolves when an image is fully decoded. Doesn't that leak information about cross-origin no-cors images? e.g. an SVG for a logged-in vs. anonymous user have the same dimensions but the logged-in one is a lot more complex so takes a long time to decode.
@noamr noamr changed the title Is HTMLImgElement.decode() a cross-origin info channel Is HTMLImgElement.decode() a cross-origin info channel? Jan 11, 2023
@noamr noamr mentioned this issue Jan 11, 2023
Open
@Kaiido
Copy link
Member

Kaiido commented Jan 11, 2023
edited
Loading

Specs currently seem to assume vector images don't need to be decoded, not sure how correct that is:

If decoding does not need to be performed for this image (for example because it is a vector graphic), resolve promise with undefined.

Also I believe the rendering time is already observable by drawing the image on a canvas (not entirely sure for SVG, but for bitmaps it will block on the rendering, see https://stackoverflow.com/questions/39543290/#39543762).

Ps: Running a quick test with this relatively heavy-on-filters image on Firefox, it seems that they do indeed ignore the decoding step in .decode() with SVG (Chrome apparently decodes before firing onload), and drawImage() does block on SVG too).

@noamr
Copy link
Collaborator Author

noamr commented Jan 11, 2023

Specs currently seem to assume vector images don't need to be decoded, not sure how correct that is:

If decoding does not need to be performed for this image (for example because it is a vector graphic), resolve promise with undefined.

Oh interesting, I was not aware of this.

Also I believe the rendering time is already observable by drawing the image on a canvas (not entirely sure for SVG, but for bitmaps it will block on the rendering, see https://stackoverflow.com/questions/39543290/#39543762).

I'm pretty sure that today drawing an image on a canvas is asynchronous in some browsers in some cases. At the very least it's not defined as synchronous, as long as you don't try to get the pixels straight after (which would be tainted in this case).

@Kaiido
Copy link
Member

Kaiido commented Jan 11, 2023

I'm pretty sure that today drawing an image on a canvas is asynchronous in some browsers in some cases. At the very least it's not defined as synchronous, as long as you don't try to get the pixels straight after (which would be tainted in this case).

Right, Chrome seems to delay the actual painting on canvas, but drawing that canvas over itself afterwards seems to trigger the synchronous painting of the image, even with cross-origin images. Note that createImageBitmap() also works on cross-origin images and also seems to expose the decoding time.

@annevk annevk added security/privacy There are security or privacy implications topic: img labels Feb 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security/privacy There are security or privacy implications topic: img
Milestone
No milestone
Development

No branches or pull requests
3 participants
@noamr @annevk @Kaiido