We do strip EXIF data and apply the orientation tag before serving. We have done this for months.
There was temporarily a bug where on rare occasions images would get served with EXIF tags intact, but this was resolved a couple weeks ago. We hadn't publicly announced the bug because we were still working through notifying users who may have been affected.
We also ask that you not use the community forums to report potential security issues. Please report them to us directly via support@cohost.org.
Could the file name be stripped too? I uploaded some pictures and only then I realized my personal file names are included. It feels revealing and makes it so I need to think of my naming as public, or need to go out of my way to rename before posting
A friend of mine has done a bit of investigating and it looks like standard exif-strip practices are followed when images are cached through CloudFlare's CDN but not when they're uncached, so it'd likely be better to just do the stripping on Cohost's side so it's consistent
(also important to not strip is rotation metadata)
if this is implemented, one thing i’d really like to ask not to be stripped is the icc color profile (which may not even be part of exif data, but ‘exif-stripping’ tools like to remove it anyway). it typically does not contain any identifying data except maybe the display model a screenshot was taken on, and it’s important for maintaining accurate colors.
LemmaEOF
26 people like this idea