Displaying logos from Relying Parties in the dialog

Relying parties are able to specify an image, through the siteLogo option.

See this related discussion: https://groups.google.com/d/topic/mozilla.dev.identity/OumzKDFTroE/discussion

Risks

• browser executing scripts contained inside the file
• large image taking over the visible portion of the dialog and changing the layout in a confusing or malicious way

Mitigations

• siteLogo must be specified as an absolute path on the RP site, therefore it has the RP as the origin
• the image be served over HTTPS to avoid mixed content issues
• since the dialog supplies the img, we can be sure that the layout is not confusing to the end-user and we can use CSS rules on outer elements to enforce

a maximum size

Background

• Bugs with executable content embedded in images
  • http://heideri.ch/opera/
  • http://hackaday.com/2008/08/04/the-gifar-image-vulnerability/
  • https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf