While this is a neat technical trick, it does appear to require that an attacker also be able to inject a script tag with a specific source of the attacker's choice. Which feels like cheating, kind of; for a web application that's pretty much the equivalent of "well, assume you already have root on the victim's machine, once you have that you can do THIS".
Serious question: do any "real" web applications which allow you to upload images not re-encode the image before saving it to disk? I thought this was industry standard.<p>There's a whole host of issues associated with not doing this, including potentially unwanted exif data, and e.g. just cat'ing a jpeg with a rar file and using the image host as an arbitrary file host, etc.
Funny enough, this is fixed in Firefox 51 already (shipping in January).
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1288361" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1288361</a>
Huh. Why do JPEG files support comments?<p>(I mean, that's what this comes down to, right? Both formats support comments, and starting a comment in one is a valid start for the other, so you can interleave them and do whatever you like.)