[slver]

Imagine I use a timing attack to visually encode some information about you in an image and trick you into sending a screenshot somewhere.

Very quick take, but systems are very interconnected these days, so sandboxes tend to leak in very unintentional ways.

[KMag]

How do you read a timer from within the JPEG XL bitstream? I believe the decoding process is deterministic.

[slver]

It's a challenge, but I'd probably look into any decoders that parallelize the decoding and see if I can abuse this.

[wizzwizz4]

You'd need to exploit an implementation bug, or have the user be streaming or something (so some squares appear before others as the output of your timing attack).

[tsegratis]

Just wait, its only a short while til JPEG contains the pdf spec and a javascript interpreter

[jonsneyers]

Yes, that is true, but it isn't particularly related to JPEG XL specifically.