LGTM2
/Daniel
On 2023-08-30 16:24, Yoav Weiss wrote:
LGTM1 to ship, with a base flag to ensure we can rollback if needed.
On Mon, Aug 28, 2023 at 6:16 PM Dale Curtis <dalecur...@chromium.org>
wrote:
On Mon, Aug 21, 2023 at 9:41 AM Dale Curtis
<dalecur...@chromium.org> wrote:
On Sun, Aug 20, 2023 at 7:36 PM Yoav Weiss
<yoavwe...@chromium.org> wrote:
Thanks for working on this!! Eliminating resources which
can't be loaded as CORS enabled resources is super useful!
On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis
<dalecur...@chromium.org> wrote:
Contact emails
dalecur...@chromium.org
Explainer
None
Specification
https://www.w3.org/TR/SVG
Summary
Implements the crossOrigin attribute for SVG images:
The crossOrigin attribute, valid on the <image> and
<feImage> elements, provides support for configuration
of the Cross-Origin Resource Sharing (CORS) requests
for the element's fetched data. The supported values
are the same as elsewhere: "anonymous",
"use-credentials", and "" (which means anonymous).
https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin
https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute
Blink component
Blink>SVG
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESVG>
Search tags
svg <https://chromestatus.com/features#tags:svg>,
crossorigin
<https://chromestatus.com/features#tags:crossorigin>,
image <https://chromestatus.com/features#tags:image>
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
None
I believe content that already has a crossorigin
attribute, but where the servers didn't send ACAO would
now be blocked.
Can we add a usecounter for that case, and monitor it as
part of the rollout?
/Gecko/: Shipped/Shipping
(https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin#browser_compatibility)
According to MDN, that's a fairly recent change. Do you
know if it ran into any compat issues?
I don't. Nothing is called out on the implementation issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=1240357
+longs...@gmail.com who authored the Firefox change in case
they want to weigh in.
Robert indicated privately that Firefox hasn't seen any issues
with roll out thus far.
/WebKit/: No signal
(https://github.com/WebKit/standards-positions/issues/241)
WebKit indicates they're likely to mark this as supported shortly:
https://github.com/WebKit/standards-positions/issues/241#issuecomment-1693613454
/Web developers/: Positive
/Other signals/:
Security
The default value of the crossOrigin attribute is
"anonymous", both Safari and Chrome currently treat
the missing attribute as "no cors". Due to the default
value change, content that was previously inaccessible
and/or tainted will become accessible without
site/developer involvement if the server was already
supplying the correct Access-Control-Allow-Origin header.
fs pointed out that this is confusingly worded. I've rephrased
it as:
"Content that was previously inaccessible and/or tainted will
become accessible without site/developer involvement if the
client side element has a crossOrigin attribute and the server
was already supplying the correct Access-Control-Allow-Origin
header."
WebView application risks
Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high risk
for Android WebView-based applications?
None
Debuggability
None
Will this feature be supported on all six
Blink platforms (Windows, Mac, Linux, Chrome
OS, Android, and Android WebView)?
Yes
Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes
Link to wpt.fyi that shows Firefox passing the tests
currently?
Hmm, I linked to them on the chromestatus entry, I guess it
doesn't include them here:
https://wpt.fyi/results/svg/embedded/image-crossorigin.sub.html?label=master&label=experimental&aligned
<https://wpt.fyi/results/svg/embedded/image-crossorigin.sub.html?label=master&label=experimental&aligned>https://wpt.fyi/results/webcodecs/videoFrame-construction.crossOriginSource.sub.html?label=master&label=experimental&aligned
<https://wpt.fyi/results/webcodecs/videoFrame-construction.crossOriginSource.sub.html?label=master&label=experimental&aligned>
Flag name on chrome://flags
None
Finch feature name
SvgCrossOriginAttribute
Non-finch justification
Minor attribute addition.
Requires code in //chrome?
False
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=842321
Launch bug
https://bugs.chromium.org/p/chromium/issues/detail?id=842321
Estimated milestones
Shipping on desktop 118
Shipping on Android 118
Anticipated spec changes
Open questions about a feature may be a source of
future web compat or interop issues. Please list open
issues (e.g. links to known github issues in the
project for the feature specification) whose
resolution may introduce web compat/interop risk
(e.g., changing to naming or structure of the API in a
non-backward-compatible way).
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5109030850134016
--
You received this message because you are subscribed
to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwdovYUciES4qqjJ3PckFOvc_6yzBVn_b4uKyuA9xwbv6Q%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwdovYUciES4qqjJ3PckFOvc_6yzBVn_b4uKyuA9xwbv6Q%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVuZxs7AGfPz23oVfPCnxQQ5Wk7F0tVAuc3WmQhe9zipw%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVuZxs7AGfPz23oVfPCnxQQ5Wk7F0tVAuc3WmQhe9zipw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/8f5813e3-38c4-b036-15d4-2248f15be6e6%40gmail.com.