Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External color profiles and CSP #516

Open
annevk opened this issue Oct 7, 2021 · 8 comments
Open

External color profiles and CSP #516

annevk opened this issue Oct 7, 2021 · 8 comments

Comments

@annevk
Copy link
Member

annevk commented Oct 7, 2021

In whatwg/fetch#1324 @noamr reminded me that external color profiles are (about to be?) a thing. I'm not sure what this means for CSP.

Fonts were apparently big enough to get their own font-src, but is that also true for color profiles?

Should we have a new x-src that covers non-script/non-style things?

Or have we completely stopped caring about this and will just let default-src handle it?
@annevk
Copy link
Member Author

annevk commented Oct 7, 2021

cc @tabatkins

@noamr
Copy link
Contributor

noamr commented Oct 7, 2021

See https://drafts.csswg.org/css-color-4/#at-profile
CC @svgeesus

@mikewest
Copy link
Member

mikewest commented Oct 8, 2021

While I think we probably need to start over with regard to exfiltration mitigation to have anything like a justifiable system, it seems reasonable that CSP would need to deal with these resources in some way. default-src should certainly cover them, and I could imagine wrapping them up in style-src (given my very uninformed understanding of the way they interact with pages, it seems unlikely that they'll be used outside the context of a style declaration, and it doesn't seem likely they create a different kind of risk than stylesheets?). I don't think that creating something like a colorprofile-src declaration would be useful.

@noamr
Copy link
Contributor

noamr commented Oct 9, 2021

While I think we probably need to start over with regard to exfiltration mitigation to have anything like a justifiable system, it seems reasonable that CSP would need to deal with these resources in some way. default-src should certainly cover them, and I could imagine wrapping them up in style-src (given my very uninformed understanding of the way they interact with pages, it seems unlikely that they'll be used outside the context of a style declaration, and it doesn't seem likely they create a different kind of risk than stylesheets?). I don't think that creating something like a colorprofile-src declaration would be useful.

|I think it makes sense that color profiles would be equivalent to styles in terms of CSP, as color profiles are in a way "extensions" to style, a kind of like a style import.

@svgeesus
Copy link

it seems unlikely that they'll be used outside the context of a style declaration, and it doesn't seem likely they create a different kind of risk than stylesheets?)

Yes, color profiles fetched as an external resource only affect colors in the stylesheets that linked to and use them. They are separate from, and don't interact with, profiles embeded in raster images, for example.

ICC profiles do not contain executable code (in V2 and v4) and contain a very limited type of code in v5 (the calculator element, which executes a stack-based computation that lacks looping)

For more details, see: [css-color-4] Security: handling of color-profiles

@noamr
Copy link
Contributor

noamr commented Oct 12, 2021
edited
Loading

I read

it seems unlikely that they'll be used outside the context of a style declaration, and it doesn't seem likely they create a different kind of risk than stylesheets?)

Yes, color profiles fetched as an external resource only affect colors in the stylesheets that linked to and use them. They are separate from, and don't interact with, profiles embeded in raster images, for example.

ICC profiles do not contain executable code (in V2 and v4) and contain a very limited type of code in v5 (the calculator element, which executes a stack-based computation that lacks looping)

For more details, see: [css-color-4] Security: handling of color-profiles

I read this and I'm missing a data point: can internal values from the color profile be detected (using a script, getComputedStyle or so) by the caller? If so, its CORS should be "anonymous" (same as fonts/shapes, as they affect layout which is JS-detectable), and if not, it should be "opaque" (same as background images).

@annevk
Copy link
Member Author

annevk commented Oct 12, 2021

We agreed a while ago to not fetch new resource types without CORS.

@mikewest
Copy link
Member

mikewest commented Oct 14, 2021
edited
Loading

Ok, from the above, I think the CSP story is pretty clear for v2 and v4 profiles: they can be controlled by style-src by adding the colorprofile destination to the list of destinations controlled by that directive. I'd be happy to review a PR to that effect (along with tests :) ).

That said, I'm a little scared about the risk of code execution in v5. That possibility feels different in kind, but I'm a bit confused about the capability: w3c/csswg-drafts#5552 (comment) closed out that review issue, noting that "Okay so for the security & privacy appendix I added a note that ICC profiles are downloaded on demand and do not contain executable code." Is that no longer the case? /cc @svgeesus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mikewest @noamr @annevk @svgeesus