On 6/10/15 5:32 AM, Anne van Kesteren wrote:
On Wed, Jun 10, 2015 at 11:22 AM, Hallvord Reiar Michaelsen Steen
Developing web browsers and their specs means paranoia should be part of
your job description.
It is a concern and I'm not sure how to solve it.
Well we should be able to allow some things here. Either we verify
that it is an image or we only allow images that are exported from
<canvas> or some such... But yeah, passing arbitrary bytes seems bad,
there needs to be some amount of validation.
Are you suggesting/proposing new normative requirement(s) in the "spec
proper" and/or new text in the security/privacy considerations ?