On 11/10/2018 6:03 PM, Tom Ritter wrote:
Are we bringing in a new third party library for this? (Seems like yes?) Who else uses it/audits it? Does anyone else fuzz it? Is it in OSS-fuzz? Are we fuzzing it? How does upstream behave? Do they cut releases or do they just have continual development and downstreams grab random versions of it? How do we plan to track security issues upstream? How do we plan to update it (mechanically and how often)? -tom
We have been discussing implementation details such that webp would be using the media decoder framework to demux and decode the images. As such, webp support would automatically gain sandbox control (going through the same out of process decoding codepath like we will do with AV1).
Doing it that way would also greatly help adding support for images like AVIF or even using videos (mp4, webm) inside an <image> object.
Though there seems to be an urgency in shipping it now, meaning that the implementation details I describe above won't likely be in the first release.
JY _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform