The article says: Embed an image from the attacked domain; generally this will be a resource > which varies for different authenticated users such as the logged-in user’s > avatar or a security code. >
And then refers all the steps to this image (binarizing, expand and measure per pixel) but, If I can embed that image, it is because I know the URL for it and the proper auth tokens if it is protected. In that case, why to not simply steal the image? On Wed, Apr 26, 2017 at 12:23 AM, Jonathan Kingston <[email protected]> wrote: > Auth related images are the attack vector, that and history attacks on > same domain. > > On Tue, Apr 25, 2017 at 11:17 PM, Salvador de la Puente < > [email protected]> wrote: > >> Sorry for my ignorance but, in the case of Stealing cross-origin >> resources, >> I don't get the point of the attack. If have the ability to embed the >> image >> in step 1, why to not simply send this to evil.com for further >> processing? >> How it is possible for evil.com to get access to protected resources? >> >> On Tue, Apr 25, 2017 at 8:04 PM, Ehsan Akhgari <[email protected]> >> wrote: >> >> > On 04/25/2017 10:25 AM, Andrew Overholt wrote: >> > >> >> On Tue, Apr 25, 2017 at 9:35 AM, Eric Rescorla <[email protected]> wrote: >> >> >> >> Going back to Jonathan's (I think) question. Does anyone use this at >> all >> >>> in >> >>> the field? >> >>> >> >>> Chrome's usage metrics say <= 0.0001% of page loads: >> >> https://www.chromestatus.com/metrics/feature/popularity#Ambi >> >> entLightSensorConstructor. >> >> >> > >> > This is the new version of the spec which we don't ship. >> > >> > >> > We are going to collect telemetry in >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1359124. >> >> _______________________________________________ >> >> dev-platform mailing list >> >> [email protected] >> >> https://lists.mozilla.org/listinfo/dev-platform >> >> >> > >> > _______________________________________________ >> > dev-platform mailing list >> > [email protected] >> > https://lists.mozilla.org/listinfo/dev-platform >> > >> >> >> >> -- >> <salva /> >> _______________________________________________ >> dev-platform mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-platform >> > > -- <salva /> _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
