Jon Sneyers

> I think we have two options: > > 1. Safelist the MIME type. > 2. Require folks use CORS (and also enforce the MIME type). > > I somewhat...

> It would mean that `image/jxl` would not work cross-origin by default. This would be similar to module scripts. So if you have an img tag with a cross-origin uri,...

> That's a good point, that would have to not work. Yes but it would be nice if a browser would be able to know before it makes a request...

It would be 'protected' in the sense that it wouldn't work, which is one way to be more secure but not my favorite way to do it. The leaked data...

Maybe I am missing something, but why can not just `image/*` be whitelisted instead of whitelisting `image/svg+xml` plus the specific image codecs mentioned in https://mimesniff.spec.whatwg.org/#image-type-pattern-matching-algorithm ? Note that JPEG 2000...

~~As far as I understand, credentialed GETs are not typical for cross-origin img requests.~~ Edit: my understanding is improving and the previous sentence is probably wrong :) I agree that...

Perhaps it could be useful to try to collect data on uses of cross-origin img loads that rely on cookies. Maybe a way forward could be to make crossorigin=anonymous the...

The standard is finalized already - the codestream in January 2021, the file format in April 2021.

> In my opinion you should just wait until google natively adds the codec to android. I disagree with that strategy. Image codecs are evolving faster than the long tail...

> Looks like encoder/decoder performance are the main issues of flif. As it was inspired by ffv1, is it common enough with ffv1 to be implemented using libavcodec to get...