On Tue, Apr 25, 2017 at 5:26 PM, Salvador de la Puente < sdelapue...@mozilla.com> wrote:
> So the risk is not that high since if the image is not protected I can get > it and do evil things without requiring the Light Sensor API. Isn't it? > Generally, we take cross-origin information theft pretty seriously. -Ekr > On Wed, Apr 26, 2017 at 1:30 AM, Eric Rescorla <e...@rtfm.com> wrote: > >> >> >> On Tue, Apr 25, 2017 at 3:40 PM, Salvador de la Puente < >> sdelapue...@mozilla.com> wrote: >> >>> The article says: >>> >>> Embed an image from the attacked domain; generally this will be a >>> resource >>> > which varies for different authenticated users such as the logged-in >>> user’s >>> > avatar or a security code. >>> > >>> >>> And then refers all the steps to this image (binarizing, expand and >>> measure >>> per pixel) but, If I can embed that image, it is because I know the URL >>> for >>> it and the proper auth tokens if it is protected. In that case, why to >>> not >>> simply steal the image? >>> >> >> The simple version of this is that the image is cookie protected. >> >> -Ekr >> >> >>> On Wed, Apr 26, 2017 at 12:23 AM, Jonathan Kingston <j...@mozilla.com> >>> wrote: >>> >>> > Auth related images are the attack vector, that and history attacks on >>> > same domain. >>> > >>> > On Tue, Apr 25, 2017 at 11:17 PM, Salvador de la Puente < >>> > sdelapue...@mozilla.com> wrote: >>> > >>> >> Sorry for my ignorance but, in the case of Stealing cross-origin >>> >> resources, >>> >> I don't get the point of the attack. If have the ability to embed the >>> >> image >>> >> in step 1, why to not simply send this to evil.com for further >>> >> processing? >>> >> How it is possible for evil.com to get access to protected resources? >>> >> >>> >> On Tue, Apr 25, 2017 at 8:04 PM, Ehsan Akhgari < >>> ehsan.akhg...@gmail.com> >>> >> wrote: >>> >> >>> >> > On 04/25/2017 10:25 AM, Andrew Overholt wrote: >>> >> > >>> >> >> On Tue, Apr 25, 2017 at 9:35 AM, Eric Rescorla <e...@rtfm.com> >>> wrote: >>> >> >> >>> >> >> Going back to Jonathan's (I think) question. Does anyone use this >>> at >>> >> all >>> >> >>> in >>> >> >>> the field? >>> >> >>> >>> >> >>> Chrome's usage metrics say <= 0.0001% of page loads: >>> >> >> https://www.chromestatus.com/metrics/feature/popularity#Ambi >>> >> >> entLightSensorConstructor. >>> >> >> >>> >> > >>> >> > This is the new version of the spec which we don't ship. >>> >> > >>> >> > >>> >> > We are going to collect telemetry in >>> >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1359124. >>> >> >> _______________________________________________ >>> >> >> dev-platform mailing list >>> >> >> dev-platform@lists.mozilla.org >>> >> >> https://lists.mozilla.org/listinfo/dev-platform >>> >> >> >>> >> > >>> >> > _______________________________________________ >>> >> > dev-platform mailing list >>> >> > dev-platform@lists.mozilla.org >>> >> > https://lists.mozilla.org/listinfo/dev-platform >>> >> > >>> >> >>> >> >>> >> >>> >> -- >>> >> <salva /> >>> >> _______________________________________________ >>> >> dev-platform mailing list >>> >> dev-platform@lists.mozilla.org >>> >> https://lists.mozilla.org/listinfo/dev-platform >>> >> >>> > >>> > >>> >>> >>> -- >>> <salva /> >>> _______________________________________________ >>> dev-platform mailing list >>> dev-platform@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-platform >>> >> >> > > > -- > <salva /> > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
