So the risk is not that high since if the image is not protected I can get it and do evil things without requiring the Light Sensor API. Isn't it?
On Wed, Apr 26, 2017 at 1:30 AM, Eric Rescorla <[email protected]> wrote: > > > On Tue, Apr 25, 2017 at 3:40 PM, Salvador de la Puente < > [email protected]> wrote: > >> The article says: >> >> Embed an image from the attacked domain; generally this will be a resource >> > which varies for different authenticated users such as the logged-in >> user’s >> > avatar or a security code. >> > >> >> And then refers all the steps to this image (binarizing, expand and >> measure >> per pixel) but, If I can embed that image, it is because I know the URL >> for >> it and the proper auth tokens if it is protected. In that case, why to not >> simply steal the image? >> > > The simple version of this is that the image is cookie protected. > > -Ekr > > >> On Wed, Apr 26, 2017 at 12:23 AM, Jonathan Kingston <[email protected]> >> wrote: >> >> > Auth related images are the attack vector, that and history attacks on >> > same domain. >> > >> > On Tue, Apr 25, 2017 at 11:17 PM, Salvador de la Puente < >> > [email protected]> wrote: >> > >> >> Sorry for my ignorance but, in the case of Stealing cross-origin >> >> resources, >> >> I don't get the point of the attack. If have the ability to embed the >> >> image >> >> in step 1, why to not simply send this to evil.com for further >> >> processing? >> >> How it is possible for evil.com to get access to protected resources? >> >> >> >> On Tue, Apr 25, 2017 at 8:04 PM, Ehsan Akhgari < >> [email protected]> >> >> wrote: >> >> >> >> > On 04/25/2017 10:25 AM, Andrew Overholt wrote: >> >> > >> >> >> On Tue, Apr 25, 2017 at 9:35 AM, Eric Rescorla <[email protected]> >> wrote: >> >> >> >> >> >> Going back to Jonathan's (I think) question. Does anyone use this at >> >> all >> >> >>> in >> >> >>> the field? >> >> >>> >> >> >>> Chrome's usage metrics say <= 0.0001% of page loads: >> >> >> https://www.chromestatus.com/metrics/feature/popularity#Ambi >> >> >> entLightSensorConstructor. >> >> >> >> >> > >> >> > This is the new version of the spec which we don't ship. >> >> > >> >> > >> >> > We are going to collect telemetry in >> >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1359124. >> >> >> _______________________________________________ >> >> >> dev-platform mailing list >> >> >> [email protected] >> >> >> https://lists.mozilla.org/listinfo/dev-platform >> >> >> >> >> > >> >> > _______________________________________________ >> >> > dev-platform mailing list >> >> > [email protected] >> >> > https://lists.mozilla.org/listinfo/dev-platform >> >> > >> >> >> >> >> >> >> >> -- >> >> <salva /> >> >> _______________________________________________ >> >> dev-platform mailing list >> >> [email protected] >> >> https://lists.mozilla.org/listinfo/dev-platform >> >> >> > >> > >> >> >> -- >> <salva /> >> _______________________________________________ >> dev-platform mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-platform >> > > -- <salva /> _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
