Re: Intent to implement and ship: WebP image support
On 11/10/2018 6:03 PM, Tom Ritter wrote: Are we bringing in a new third party library for this? (Seems like yes?) Who else uses it/audits it? Does anyone else fuzz it? Is it in OSS-fuzz? Are we fuzzing it? How does upstream behave? Do they cut releases or do they just have continual development and downstreams grab random versions of it? How do we plan to track security issues upstream? How do we plan to update it (mechanically and how often)? -tom We have been discussing implementation details such that webp would be using the media decoder framework to demux and decode the images. As such, webp support would automatically gain sandbox control (going through the same out of process decoding codepath like we will do with AV1). Doing it that way would also greatly help adding support for images like AVIF or even using videos (mp4, webm) inside an object. Though there seems to be an urgency in shipping it now, meaning that the implementation details I describe above won't likely be in the first release. JY ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: WebP image support
On Thu, Oct 11, 2018 at 5:43 PM Andrew Osmond wrote: > Is this feature restricted to secure contexts?: No, it isn't. This is not a > new API, instead it is just accepting more types of content via existing > channels. This isn't the rationale you're looking for. New formats would generally be expected to be restricted. New formats already shipped by other browsers and likely in use on insecure contexts however probably deserve an exception. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: WebP image support
Yes, that's part of it. Further, now that Edge has shipped it we can cause there to be a majority of vendors supporting it. Having WebP supported by all of the browsers changes the weight we put on the different advantages and disadvantages. For example, Firefox supporting WebP will allow now allow web authors to have lossy compressed images with transparency (by using WebP with Chrome, Edge, Firefox and JPEG2000 with Safari) -Jeff On Thu, Oct 11, 2018 at 11:48 AM, Boris Zbarsky wrote: > On 10/11/18 11:43 AM, Andrew Osmond wrote: >> >> We are facing a growing number of webcompat reports against our >> Gecko-derived >> Android offerings, where web developers assume Android and/or mobile >> implies support for WebP. > > > In the past, I believe we objected to adding WebP for various reasons. Do we > feel that those reasons are now outweighed by the compat problems? > > -Boris > > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: WebP image support
>Are we bringing in a new third party library for this? (Seems like yes?) libwebp (see https://bugzilla.mozilla.org/show_bug.cgi?id=1294490) >Who else uses it/audits it? Does anyone else fuzz it? Is it in OSS-fuzz? >Are we fuzzing it? http://developers.google.com/speed/webp - Chrome uses it. They fuzz it (including with private fuzzing). It's in OSS-fuzz: see https://groups.google.com/a/webmproject.org/forum/#!topic/webp-discuss/aqHRxQqJpH0 I don't believe we're fuzzing the patches yet, but I imagine we will. >How does upstream behave? Do they cut releases or do they just have >continual development and downstreams grab random versions of it? How do we >plan to track security issues upstream? How do we plan to update it >(mechanically and how often)? You can see how they handle releases above. Version 1.0.0 was cut in April (though there were a number before then). See https://chromium.googlesource.com/webm/libwebp I don't know how they track sec issues; probably similar to other google/chrome/chromium projects. See https://bugs.chromium.org/p/webp/issues/list You can report issues as "Security" issues. > bz wrote: >> In the past, I believe we objected to adding WebP for various reasons. >> Do we feel that those reasons are now outweighed by the compat problems? (Personal opinion) Yes, unfortunately. And AV1F image format both isn't ready and isn't universally supported; it will take a while. -- Randell Jesup, Mozilla Corp remove "news" for personal email ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: WebP image support
Are we bringing in a new third party library for this? (Seems like yes?) Who else uses it/audits it? Does anyone else fuzz it? Is it in OSS-fuzz? Are we fuzzing it? How does upstream behave? Do they cut releases or do they just have continual development and downstreams grab random versions of it? How do we plan to track security issues upstream? How do we plan to update it (mechanically and how often)? -tom On Thu, Oct 11, 2018 at 3:50 PM Boris Zbarsky wrote: > On 10/11/18 11:43 AM, Andrew Osmond wrote: > > We are facing a growing number of webcompat reports against our > Gecko-derived > > Android offerings, where web developers assume Android and/or mobile > > implies support for WebP. > > In the past, I believe we objected to adding WebP for various reasons. > Do we feel that those reasons are now outweighed by the compat problems? > > -Boris > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: WebP image support
On 10/11/18 11:43 AM, Andrew Osmond wrote: We are facing a growing number of webcompat reports against our Gecko-derived Android offerings, where web developers assume Android and/or mobile implies support for WebP. In the past, I believe we objected to adding WebP for various reasons. Do we feel that those reasons are now outweighed by the compat problems? -Boris ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
