Make mandatory link between image metadata and page permissions

[pes10k]

(this issue is from the review I did as part of PING's HR review)

Currently, the spec mentions, non-normatively, that implementors might consider preventing unexpected information loss through image headers. The risks for privacy loss here is significant, and could even weaken privacy protections enforced elsewhere in the platform (as an example, geolocation information might be leaked to the page through an EXIF header in an image, despite the page not having the geolocation permission).

The spec should, normatively, ensure that the new functionality in the spec doesn't cause such privacy harm.

Two possible suggestions for how the spec could do this:

1. Simplest idea: specify that there MUST NOT be any metadata attached to the returned image
2. More difficult idea: specify what kinds of data MAY be attached to the image, and consider that a closed set

The above are just offered as suggestions, but the core of the issue here is that the spec should deal with this introduced privacy risk through normative / required protections.

[EricMwobobia]

@pes10k any update on the issue? From the fingerprinting issues raised in the media capture stream, I believe stripping excessive metadata is a good privacy approach. We can also review the various data to trim the excessive data to be used in fingerprinting if need be.

[pes10k]

@EricMwobobia i have not heard anything back from the WG in response to PINGs review

[beaufortfrancois]

@riju Can you have a look?