[css-color-4] Security: handling of color-profiles #5552
Comments
svgeesus
added
css-color-4
Yes. The "track a user" concern is identical to any resource specified in CSS, tho - in particular, images like The "malicious payload" concern is relative to whatever parsers browsers use for their ICC parsing - a broken parser is def an issue, but it's also a clear bug. I'm not sure - how severe is this kind of thing? It's part of any new file format being introduced, right?
New file format. Dunno about their contents - @svgeesus?
Yes. Can you elaborate on how it enables fingerprinting? The only profiles available are those predefined by the spec, and those explicitly loaded by the page. The latter aren't a fingerprinting vector - they're the same for everyone visiting the page - and the former is the generic "new features aren't supported by old browsers, and thus allow UA detection" leak intrinsic to the entire web platform.
The interaction between CSS's resource loading and CSP is ill-defined in general right now, but I suspect this interacts identically to CSS image loading. |
|
Color profiles are in practice mostly used to give the (large) amount of measured color information needed to accurately convert colors on a Web page into CMYK for printing on a specific printer/ink/paper combination. The specification recommends some widely used profiles (FOGRA, SWOP) for particular characterised printers, which being standard are less of a tracking risk and will enable accurate printing at a commercial print shop. But if someone needs to print on an unusual printer they can do that too. Such workflows are in practice more likely to be intranet than internet, for example a publishing house generating a printed book from HTML/CSS sources. Color profiles can be used for RGB colorspaces as well, but the CSS Color 4 specification already predefines the most commonly used ones, so that color profiles do not need to be downloaded. |
|
Adding on to (or in one case contradicting) what Tab said:
Yes
Malicious payload is unlikely, the contents of an ICC profile are declarative and contain measured color information. There are no scripts in color profiles and no script execution mechanism.
Tab was incorrect here.
No, see above.
Security bugs get reported to the ICC, which discloses them after fixes have been tested and deployed. See
Possibly but unlikely. For example a profile could be used to swap the red and green channels, which would give a different visual result. However, browsers already have pretty good defenses to stop a script reading colors back off the screen. |
|
Hi there! The only way I can see color profiles being different than the background-image problem in this case would be a gamut-mapping-detection possibility. To avoid duplicating detail, I just mentioned it in: #5553 (comment) |
|
Thanks, I was actually just reading that comment :) |
|
OS-level color management systems are certainly a possible attack surface, but this has already been probed and cleaned up over the last decade or so from fuzzing image decoders. The ICC profiles used in CSS Color 4 as the same as those embedded in raster images or PDFs. See for example https://www.real-sec.com/2020/09/fuzzing-image-parsing-in-windows-part-one-color-profiles/ |
|
As a further indication that ICC is not a new format on the Web, the Internet Media Type |
Currently, CSS accesses external resources such as fonts, images, color profiles via the
So I guess the answer to your question is "we are working on that, and the solution will not be specific to color profiles" |
It's "a new format on the web" because browsers do not currently parse ICC files; this is a new parser being exposed to the web. The presence of it in standards doesn't matter here, it's the exposure of potential new parsing vulnerabilities due to new parsers being exercised by potentially malicious actors. |
|
Adding this to the list of resources to address for CORS and CSP sound like a good idea. Much better to handle this generically. There will be some added attack surface exposed by the processing of the color profiles, however the file format does not have potentially dangerous functionality such as scripting. It would be a good to review and fuzz implementations that handle this format, but I'm not sure that is something that goes in this spec. |
|
Okay so for the security & privacy appendix I added a note that ICC profiles are downloaded on demand and do not contain executable code. Beyond that, I am not hearing any requests for changes to the specification, is that correct? |
|
Correct. I don't think there is anything actionable for this specification. |
svgeesus
added
Commenter Satisfied
svgeesus
added
privacy-tracker
w3cbot
added
the
privacy-needs-resolution
w3cbot
added
security-needs-resolution
samuelweiler
removed
privacy-needs-resolution
How different is an ICC file from the ICC chunk in images? I haven't checked other browsers, but Firefox parses ICC in JPEG, PNG, BMP, WebP, AVIF so I imagine most browsers do. That parser is effectively exposed to the web already. |
That was my point in comment - identical, just transferred as a separate resource rather than included inside a raster image. For example definition of the iCCP Embedded ICC profile chunk in PNG:
Correct. |
I've been assigned to security review this document. I have some concerns with the handling of color profiles and how they might introduce security and privacy risks. My understanding of them is incomplete.
If so there is a potential risk that these requests could be used to track a user or deliver a malicious payload.
What are the ways an implementation can mitigate any risks associated with handling this new file type?
If so it seems this could be used in fingerprinting
Do you envision any special treatment of these requests by content security policy?
The text was updated successfully, but these errors were encountered: