This year, I collaborated with Noam Rosenthal on standardizing a new web platform feature: dynamically adjusting image size and resolution. Success! However, the journey was a steep learning curve.
While I anticipated challenges like browser feedback and unforeseen technical hurdles, I underestimated the impact on web security and privacy principles. My prior understanding of these principles was insufficient.
Our goal was to modify the default display size of images. An 800x600 image, by default, renders at 800x600 CSS pixels. This is its intrinsic size (or natural size), with a default density of 1x.
The challenge arose when serving high-, low-, or variable-density images without CSS or HTML. This is a common need for image hosts like my employer, Cloudinary.
Our solution involved:
- Browsers reading and applying metadata within image resources to declare intended display size and resolution.
- Default browser respect for this metadata, overridable via CSS (
image-resolution) or markup (srcset'sxdescriptors).
This seemed sound – flexible and building on existing patterns. However, HTML spec editor Anne van Kesteren rejected it, citing a violation of the Same-Origin Policy (SOP). Image orientation also needed re-evaluation. The ability to toggle EXIF metadata effects via CSS/HTML violated SOP.
My initial understanding of SOP was limited to CORS errors. Now, it was hindering a major project. I had to learn!
My key takeaways:
- SOP is not a single rule, nor is it solely about CORS errors.
- It's an evolving philosophy, inconsistently implemented.
- The core principle is that web security and privacy boundaries are defined by origins. Shared origin implies unrestricted interaction; otherwise, restrictions apply.
- Many cross-origin interactions are allowed. Websites can generally write across origins (POST requests) and embed cross-origin resources (iframes, images). However, reading cross-origin resources in JavaScript requires explicit permission (CORS).
- Crucially, preventing cross-origin reads protects user privacy. Each user sees a personalized web, influenced by cookies and local context. Allowing websites to read data from other sites through a user's browser would be a major security flaw.
SOP primarily concerns preventing cross-origin reads. Other cross-origin actions are often permitted by default.
The image size/resolution issue:
Imagine https://coolbank.com/hero.jpg, returning different content based on user login status. The logged-in version might include EXIF resolution information, while the logged-out version doesn't. A malicious actor could embed this image, check its intrinsic size (with and without EXIF), inferring login status, and potentially launching phishing attacks.
While not accessing pixel data (due to CORS), the actor gains information across origins – a violation.
Our solution: In cross-origin contexts, EXIF modifications are always applied, making the information unreadable. An image with EXIF-specified size will always render according to that size, regardless of CSS overrides.
Understanding SOP clarified other web security concepts:
- Cross-site request forgery (CSRF) exploits the default allowance of cross-origin writes.
- Content Security Policy (CSP) controls allowed embeds, addressing cross-site scripting (XSS) vulnerabilities.
- COOP, COEP, CORP, and CORB aim to eliminate cross-origin interactions, addressing inconsistencies in SOP implementation and mitigating vulnerabilities like Spectre.
In short:
- Web security and privacy are robust, based on origin-based interaction restrictions.
- Cross-origin reads are forbidden by default to protect user privacy.
- Any SOP loophole, however small, is a security risk.
My 2020 experience highlighted the critical importance of SOP and the need for stringent web security practices. A safer and more secure future requires unwavering defense of these principles.
The above is the detailed content of I learned to love the Same-Origin Policy. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What is 'render-blocking CSS'?
Jun 24, 2025 am 12:42 AM
CSS blocks page rendering because browsers view inline and external CSS as key resources by default, especially with imported stylesheets, header large amounts of inline CSS, and unoptimized media query styles. 1. Extract critical CSS and embed it into HTML; 2. Delay loading non-critical CSS through JavaScript; 3. Use media attributes to optimize loading such as print styles; 4. Compress and merge CSS to reduce requests. It is recommended to use tools to extract key CSS, combine rel="preload" asynchronous loading, and use media delayed loading reasonably to avoid excessive splitting and complex script control.
External vs. Internal CSS: What's the Best Approach?
Jun 20, 2025 am 12:45 AM
ThebestapproachforCSSdependsontheproject'sspecificneeds.Forlargerprojects,externalCSSisbetterduetomaintainabilityandreusability;forsmallerprojectsorsingle-pageapplications,internalCSSmightbemoresuitable.It'scrucialtobalanceprojectsize,performanceneed
Does my CSS must be on lower case?
Jun 19, 2025 am 12:29 AM
No,CSSdoesnothavetobeinlowercase.However,usinglowercaseisrecommendedfor:1)Consistencyandreadability,2)Avoidingerrorsinrelatedtechnologies,3)Potentialperformancebenefits,and4)Improvedcollaborationwithinteams.
CSS Case Sensitivity: Understanding What Matters
Jun 20, 2025 am 12:09 AM
CSSismostlycase-insensitive,butURLsandfontfamilynamesarecase-sensitive.1)Propertiesandvalueslikecolor:red;arenotcase-sensitive.2)URLsmustmatchtheserver'scase,e.g.,/images/Logo.png.3)Fontfamilynameslike'OpenSans'mustbeexact.
What is Autoprefixer and how does it work?
Jul 02, 2025 am 01:15 AM
Autoprefixer is a tool that automatically adds vendor prefixes to CSS attributes based on the target browser scope. 1. It solves the problem of manually maintaining prefixes with errors; 2. Work through the PostCSS plug-in form, parse CSS, analyze attributes that need to be prefixed, and generate code according to configuration; 3. The usage steps include installing plug-ins, setting browserslist, and enabling them in the build process; 4. Notes include not manually adding prefixes, keeping configuration updates, prefixes not all attributes, and it is recommended to use them with the preprocessor.
What are CSS counters?
Jun 19, 2025 am 12:34 AM
CSScounterscanautomaticallynumbersectionsandlists.1)Usecounter-resettoinitialize,counter-incrementtoincrease,andcounter()orcounters()todisplayvalues.2)CombinewithJavaScriptfordynamiccontenttoensureaccurateupdates.
CSS: When Does Case Matter (and When Doesn't)?
Jun 19, 2025 am 12:27 AM
In CSS, selector and attribute names are case-sensitive, while values, named colors, URLs, and custom attributes are case-sensitive. 1. The selector and attribute names are case-insensitive, such as background-color and background-Color are the same. 2. The hexadecimal color in the value is case-sensitive, but the named color is case-sensitive, such as red and Red is invalid. 3. URLs are case sensitive and may cause file loading problems. 4. Custom properties (variables) are case sensitive, and you need to pay attention to the consistency of case when using them.
What is the conic-gradient() function?
Jul 01, 2025 am 01:16 AM
Theconic-gradient()functioninCSScreatescirculargradientsthatrotatecolorstopsaroundacentralpoint.1.Itisidealforpiecharts,progressindicators,colorwheels,anddecorativebackgrounds.2.Itworksbydefiningcolorstopsatspecificangles,optionallystartingfromadefin
