On Mon, Aug 21, 2023 at 9:41 AM Dale Curtis <dalecur...@chromium.org> wrote:
> On Sun, Aug 20, 2023 at 7:36 PM Yoav Weiss <yoavwe...@chromium.org> wrote: > >> Thanks for working on this!! Eliminating resources which can't be loaded >> as CORS enabled resources is super useful! >> >> On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis <dalecur...@chromium.org> >> wrote: >> >>> Contact emailsdalecur...@chromium.org >>> >>> ExplainerNone >>> >>> Specificationhttps://www.w3.org/TR/SVG >>> >>> Summary >>> >>> Implements the crossOrigin attribute for SVG images: The crossOrigin >>> attribute, valid on the <image> and <feImage> elements, provides support >>> for configuration of the Cross-Origin Resource Sharing (CORS) requests for >>> the element's fetched data. The supported values are the same as elsewhere: >>> "anonymous", "use-credentials", and "" (which means anonymous). >>> https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin >>> https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute >>> >>> >>> Blink componentBlink>SVG >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESVG> >>> >>> Search tagssvg <https://chromestatus.com/features#tags:svg>, crossorigin >>> <https://chromestatus.com/features#tags:crossorigin>, image >>> <https://chromestatus.com/features#tags:image> >>> >>> TAG reviewNone >>> >>> TAG review statusNot applicable >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> None >>> >> >> I believe content that already has a crossorigin attribute, but where the >> servers didn't send ACAO would now be blocked. >> Can we add a usecounter for that case, and monitor it as part of the >> rollout? >> > >> >>> >>> *Gecko*: Shipped/Shipping ( >>> https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin#browser_compatibility >>> ) >>> >> >> According to MDN, that's a fairly recent change. Do you know if it ran >> into any compat issues? >> > > I don't. Nothing is called out on the implementation issue: > https://bugzilla.mozilla.org/show_bug.cgi?id=1240357 > > +longs...@gmail.com who authored the Firefox change in case they want to > weigh in. > Robert indicated privately that Firefox hasn't seen any issues with roll out thus far. > > >> >> >>> >>> *WebKit*: No signal ( >>> https://github.com/WebKit/standards-positions/issues/241) >>> >> WebKit indicates they're likely to mark this as supported shortly: https://github.com/WebKit/standards-positions/issues/241#issuecomment-1693613454 > >>> *Web developers*: Positive >>> >>> *Other signals*: >>> >>> Security >>> >>> The default value of the crossOrigin attribute is "anonymous", both >>> Safari and Chrome currently treat the missing attribute as "no cors". Due >>> to the default value change, content that was previously inaccessible >>> and/or tainted will become accessible without site/developer involvement if >>> the server was already supplying the correct Access-Control-Allow-Origin >>> header. >>> >> > fs pointed out that this is confusingly worded. I've rephrased it as: > "Content that was previously inaccessible and/or tainted will become > accessible without site/developer involvement if the client side element > has a crossOrigin attribute and the server was already supplying the > correct Access-Control-Allow-Origin header." > > >> >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> None >>> >>> >>> Debuggability >>> >>> None >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)?Yes >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ?Yes >>> >> >> Link to wpt.fyi that shows Firefox passing the tests currently? >> > > Hmm, I linked to them on the chromestatus entry, I guess it doesn't > include them here: > > https://wpt.fyi/results/svg/embedded/image-crossorigin.sub.html?label=master&label=experimental&aligned > https://wpt.fyi/results/webcodecs/videoFrame-construction.crossOriginSource.sub.html?label=master&label=experimental&aligned > > >> >> >>> >>> >>> Flag name on chrome://flagsNone >>> >>> Finch feature nameSvgCrossOriginAttribute >>> >>> Non-finch justification >>> >>> Minor attribute addition. >>> >>> >>> Requires code in //chrome?False >>> >>> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=842321 >>> >>> Launch bughttps://bugs.chromium.org/p/chromium/issues/detail?id=842321 >>> >>> Estimated milestones >>> Shipping on desktop 118 >>> Shipping on Android 118 >>> >>> Anticipated spec changes >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> None >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5109030850134016 >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwdovYUciES4qqjJ3PckFOvc_6yzBVn_b4uKyuA9xwbv6Q%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwdovYUciES4qqjJ3PckFOvc_6yzBVn_b4uKyuA9xwbv6Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwf21Y-4LmtyUE2XSrdKsNXDZOQ5gGbgtP0tBsFS3ecTeQ%40mail.gmail.com.
