csswg-drafts
csswg-drafts copied to clipboard
w3c
[css-color-5] Question regarding on deman download of ICC file
Hi, I'm adding this question as a PING review.
After reading the current draft, there's the question of when the "on demand" ICC file download should happen, and if that on demand depends on hardware/software from the visitor of a website or user of an app.
In Section 4.2 and section 9 it is mentioned that adding custom color spaces makes the browser download an ICC file, with some information regarding how to use/show colors. If that on-demand download depends on hardware or software information from the user devices, can that lead to some information from the device being informed to the website? (possibly a fingerprinting opportunity).
Thanks!
If that on-demand download depends on hardware or software information from the user devices
It does not. In particular, there is explicitly and deliberately not an option for "download this unless you already have a profile with the same name installed". The profile is always downloaded.
Rather like downloadable web fonts, implementations may choose to download a resource as soon as they have parsed that part of the style sheet, or they might choose to prioritize other resources (perhaps that color space is not actually used, same as a font linked but not actually used).
But to display a color defined with an ICC profile, the profile must always be downloaded before display.
Custom color spaces used to be in CSS Color 4 and were then moved to CSS Color 5. During wide review of CSS Color 4 there was a security question about ICC profiles, which might be of interest in the context of this issue:
- https://github.com/w3c/csswg-drafts/issues/5552
@svgeesus sorry for the big delay in my answer. I read the issue you linked and I think it is much clear now (about browsers parsing these profiles already). My only question would be the on-demand part if that could be used to know if a browser downloaded an ICC file because a current device is connected to the computer. I think you answered that on the other issue, that these ICC files are standards, so tricky to track a specific printer from that download. Is that right?
Ah I see, you are worried about "what printer do I have connected" as a fingerprinting vector.
No, that doesn't happen. Here is why. In an ICC workflow you have two ICC profiles. One (the one being downloaded because the CSS links to it) tells you what the input colors mean (the colors used on the web page). It says how to convert those colors to the profile connection space (CIE XYZ or Lab). The other (which may come with the screen/printer, or be measured by the user to create their own) tells you what the output colors are; how to convert from the profile connection space to whatever the screen or printer uses.
This CSS feature is about input profiles, only. It does not, and cannot (the CSS would have a list of every screen and printer in the world?) affect the output profile. The color management system uses the two profiles together to convert input colors to output colors.