This year, I collaborated with Noam Rosenthal on standardizing a new web platform feature: dynamically adjusting image size and resolution. Success! However, the journey was a steep learning curve.
While I anticipated challenges like browser feedback and unforeseen technical hurdles, I underestimated the impact on web security and privacy principles. My prior understanding of these principles was insufficient.
Our goal was to modify the default display size of images. An 800x600 image, by default, renders at 800x600 CSS pixels. This is its intrinsic size (or natural size), with a default density of 1x.
The challenge arose when serving high-, low-, or variable-density images without CSS or HTML. This is a common need for image hosts like my employer, Cloudinary.
Our solution involved:
- Browsers reading and applying metadata within image resources to declare intended display size and resolution.
- Default browser respect for this metadata, overridable via CSS (
image-resolution) or markup (srcset'sxdescriptors).
This seemed sound – flexible and building on existing patterns. However, HTML spec editor Anne van Kesteren rejected it, citing a violation of the Same-Origin Policy (SOP). Image orientation also needed re-evaluation. The ability to toggle EXIF metadata effects via CSS/HTML violated SOP.
My initial understanding of SOP was limited to CORS errors. Now, it was hindering a major project. I had to learn!
My key takeaways:
- SOP is not a single rule, nor is it solely about CORS errors.
- It's an evolving philosophy, inconsistently implemented.
- The core principle is that web security and privacy boundaries are defined by origins. Shared origin implies unrestricted interaction; otherwise, restrictions apply.
- Many cross-origin interactions are allowed. Websites can generally write across origins (POST requests) and embed cross-origin resources (iframes, images). However, reading cross-origin resources in JavaScript requires explicit permission (CORS).
- Crucially, preventing cross-origin reads protects user privacy. Each user sees a personalized web, influenced by cookies and local context. Allowing websites to read data from other sites through a user's browser would be a major security flaw.
SOP primarily concerns preventing cross-origin reads. Other cross-origin actions are often permitted by default.
The image size/resolution issue:
Imagine https://coolbank.com/hero.jpg, returning different content based on user login status. The logged-in version might include EXIF resolution information, while the logged-out version doesn't. A malicious actor could embed this image, check its intrinsic size (with and without EXIF), inferring login status, and potentially launching phishing attacks.
While not accessing pixel data (due to CORS), the actor gains information across origins – a violation.
Our solution: In cross-origin contexts, EXIF modifications are always applied, making the information unreadable. An image with EXIF-specified size will always render according to that size, regardless of CSS overrides.
Understanding SOP clarified other web security concepts:
- Cross-site request forgery (CSRF) exploits the default allowance of cross-origin writes.
- Content Security Policy (CSP) controls allowed embeds, addressing cross-site scripting (XSS) vulnerabilities.
- COOP, COEP, CORP, and CORB aim to eliminate cross-origin interactions, addressing inconsistencies in SOP implementation and mitigating vulnerabilities like Spectre.
In short:
- Web security and privacy are robust, based on origin-based interaction restrictions.
- Cross-origin reads are forbidden by default to protect user privacy.
- Any SOP loophole, however small, is a security risk.
My 2020 experience highlighted the critical importance of SOP and the need for stringent web security practices. A safer and more secure future requires unwavering defense of these principles.
The above is the detailed content of I learned to love the Same-Origin Policy. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
CSS tutorial for creating loading spinners and animations
Jul 07, 2025 am 12:07 AM
There are three ways to create a CSS loading rotator: 1. Use the basic rotator of borders to achieve simple animation through HTML and CSS; 2. Use a custom rotator of multiple points to achieve the jump effect through different delay times; 3. Add a rotator in the button and switch classes through JavaScript to display the loading status. Each approach emphasizes the importance of design details such as color, size, accessibility and performance optimization to enhance the user experience.
Addressing CSS Browser Compatibility issues and prefixes
Jul 07, 2025 am 01:44 AM
To deal with CSS browser compatibility and prefix issues, you need to understand the differences in browser support and use vendor prefixes reasonably. 1. Understand common problems such as Flexbox and Grid support, position:sticky invalid, and animation performance is different; 2. Check CanIuse confirmation feature support status; 3. Correctly use -webkit-, -moz-, -ms-, -o- and other manufacturer prefixes; 4. It is recommended to use Autoprefixer to automatically add prefixes; 5. Install PostCSS and configure browserslist to specify the target browser; 6. Automatically handle compatibility during construction; 7. Modernizr detection features can be used for old projects; 8. No need to pursue consistency of all browsers,
Creating custom shapes with css clip-path
Jul 09, 2025 am 01:29 AM
Use the clip-path attribute of CSS to crop elements into custom shapes, such as triangles, circular notches, polygons, etc., without relying on pictures or SVGs. Its advantages include: 1. Supports a variety of basic shapes such as circle, ellipse, polygon, etc.; 2. Responsive adjustment and adaptable to mobile terminals; 3. Easy to animation, and can be combined with hover or JavaScript to achieve dynamic effects; 4. It does not affect the layout flow, and only crops the display area. Common usages are such as circular clip-path:circle (50pxatcenter) and triangle clip-path:polygon (50%0%, 100 0%, 0 0%). Notice
What is the difference between display: inline, display: block, and display: inline-block?
Jul 11, 2025 am 03:25 AM
Themaindifferencesbetweendisplay:inline,block,andinline-blockinHTML/CSSarelayoutbehavior,spaceusage,andstylingcontrol.1.Inlineelementsflowwithtext,don’tstartonnewlines,ignorewidth/height,andonlyapplyhorizontalpadding/margins—idealforinlinetextstyling
Styling visited links differently with CSS
Jul 11, 2025 am 03:26 AM
Setting the style of links you have visited can improve the user experience, especially in content-intensive websites to help users navigate better. 1. Use CSS's: visited pseudo-class to define the style of the visited link, such as color changes; 2. Note that the browser only allows modification of some attributes due to privacy restrictions; 3. The color selection should be coordinated with the overall style to avoid abruptness; 4. The mobile terminal may not display this effect, and it is recommended to combine it with other visual prompts such as icon auxiliary logos.
What is the CSS Painting API?
Jul 04, 2025 am 02:16 AM
TheCSSPaintingAPIenablesdynamicimagegenerationinCSSusingJavaScript.1.DeveloperscreateaPaintWorkletclasswithapaint()method.2.TheyregisteritviaregisterPaint().3.ThecustompaintfunctionisthenusedinCSSpropertieslikebackground-image.Thisallowsfordynamicvis
How to create responsive images using CSS?
Jul 15, 2025 am 01:10 AM
To create responsive images using CSS, it can be mainly achieved through the following methods: 1. Use max-width:100% and height:auto to allow the image to adapt to the container width while maintaining the proportion; 2. Use HTML's srcset and sizes attributes to intelligently load the image sources adapted to different screens; 3. Use object-fit and object-position to control image cropping and focus display. Together, these methods ensure that the images are presented clearly and beautifully on different devices.
What are common CSS browser inconsistencies?
Jul 26, 2025 am 07:04 AM
Different browsers have differences in CSS parsing, resulting in inconsistent display effects, mainly including the default style difference, box model calculation method, Flexbox and Grid layout support level, and inconsistent behavior of certain CSS attributes. 1. The default style processing is inconsistent. The solution is to use CSSReset or Normalize.css to unify the initial style; 2. The box model calculation method of the old version of IE is different. It is recommended to use box-sizing:border-box in a unified manner; 3. Flexbox and Grid perform differently in edge cases or in old versions. More tests and use Autoprefixer; 4. Some CSS attribute behaviors are inconsistent. CanIuse must be consulted and downgraded.
