LGTM2 - It seems to have ended up on our lists in chromestatus when I
put my LGTM there, but you should also trigger the other reviews (or
make them N/A if you think that is appropriate). Privacy, testing,
enterprise, and so on.
I guess there is a non-zero risk that there is some important
application using this but the risk must be extremely close to zero. I
don't even know of a way to create such files, and quickly searching the
web didn't tell me anything either.
/Daniel
On 2025-12-12 19:27, Łukasz Anforowicz wrote:
On Fri, Dec 12, 2025 at 1:34 AM Philip Jägenstedt
<[email protected]> wrote:
Hmm, I went to approve it in chromestatus as well, but
https://chromestatus.com/feature/5153489630134272 looks like it's
not been updated. Can you update that entry and then resend the
email so that entry and emails are properly linked?
Sorry about that. I went ahead and entered 145 as the shipping
milestone. And I set the Finch feature name. Is there any other
information and/or fields that I should add to the Chrome status entry?
On Fri, Dec 12, 2025 at 10:32 AM Philip Jägenstedt
<[email protected]> wrote:
LGTM1, if it's not supported in Firefox or Safari and we
cannot detect any usage via UMA, this is very likely safe from
a web compat perspective. As long as it's Finch-controllable
we can revert it if serious breakage does surface to give time
for migration.
On Thu, Dec 11, 2025 at 7:54 PM Łukasz Anforowicz
<[email protected]> wrote:
Hello,
BMP image decoder that ships in Chromium/Blink is capable
of decoding JPEG and/or PNG images embedded inside BMP (in
addition to the typical RLE or other basic BMP
encodings). In
https://chromestatus.com/feature/5153489630134272
<https://chromestatus.com/feature/5153489630134272>we
propose to remove this BMP extension, tracking this work
with https://crbug.com/456842524
<https://crbug.com/456842524>.
Answering the questions from
https://www.chromium.org/blink/launching-features/#feature-deprecations
<https://www.chromium.org/blink/launching-features/#feature-deprecations>:
*
Why are we removing this feature?:
o
Security: Since 2019, we've been presented with
compelling evidence
<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>that
surprising and rarely-used support for nesting
formats is a path to security bugs. Such a
possibility is especially worrying for BMP, which
is otherwise considered a pretty simple format.
o
Code health: Removing code is expected to improve
code health. Additionally, removing this
corner-case will simplify migrating
<https://docs.google.com/document/d/1fc7KI1AhvCOLZhAStg_jIQLlCA3aCZP4vhgFlLn1ZTk/edit?usp=sharing>the
BMP decoder to a memory-safe language.
o
Interoperability:
+
Removing this BMP extension will improve
interoperability/consistency across browsers,
because today only Chrome supports this BMP
extension:
#
Manual testing of browser support is
possible by visiting
https://entropymine.com/jason/bmpsuite/bmpsuite/html/bmpsuite.html
<https://entropymine.com/jason/bmpsuite/bmpsuite/html/bmpsuite.html>and
looking at the result of rendering
`q/rgb24jpeg.bmp` and `q/rgb24png.bmp`
#
Chrome 141.0.7390.134: rendered okay
*
Support for JPEG/PNG-in-BMP was added
<https://chromium-review.googlesource.com/c/chromium/src/+/1777120>in
2019, in Chrome 78.0.3899.0
<https://chromiumdash.appspot.com/commit/8319e7a6dbe63b6ef04c3cfe75f0df1947b00fb0>
*
IIUC there was no Blink Intent for
this addition + the main motivation
was covering all files from the BMP
test suite (I note that these 2 test
inputs are in a “q” directory which
was expanded to “questionable” when
adding
<https://chromium-review.googlesource.com/c/chromium/src/+/5269009>the
test inputs to Chromium).
#
Firefox 143.0.4 and 144.0.2: not rendered
#
Safari 18.6: not rendered
+
There is no official spec:
#
https://developer.mozilla.org/en-US/docs/Web/Media/Guides/Formats/Image_types
<https://developer.mozilla.org/en-US/docs/Web/Media/Guides/Formats/Image_types#bmp_bitmap_file>says:
*
“No specification; however, Microsoft
provides general documentation of the
format at
docs.microsoft.com/en-us/windows/desktop/gdi/bitmap-storage
<http://docs.microsoft.com/en-us/windows/desktop/gdi/bitmap-storage>”
*
“Warning: You should typically avoid
using BMP files for website content.
The most common form of BMP file
represents the data as an uncompressed
raster image, resulting in large file
sizes compared to png or jpg image
types. More efficient BMP formats
exist but are not widely used, and
rarely supported in web browsers.”
*
“Theoretically, several compression
algorithms are supported, and the
image data can also be stored in JPEG
or PNG format within the BMP file.”
#
https://learn.microsoft.com/en-us/windows/win32/gdi/jpeg-and-png-extensions-for-specific-bitmap-functions-and-structures
<https://learn.microsoft.com/en-us/windows/win32/gdi/jpeg-and-png-extensions-for-specific-bitmap-functions-and-structures>says:
*
“This [JPEG-and-PNG-in-BMP] extension
is not intended as a means to supply
general JPEG and PNG decompression to
applications, but rather to allow
applications to send JPEG- and
PNG-compressed images directly to
printers having hardware support for
JPEG and PNG images.”
*
What is the cost of removing this feature?
o
No usage has been registered via a recently added
UMA data: https://crbug.com/452667935
<https://crbug.com/452667935>
+
UMA data gathered in
https://crbug.com/452667935
<https://crbug.com/452667935>for M143 shows no
usage in Canary/Dev, Beta, not Stable release
channels (not just minimal usage, but no usage
whatsoever)
+
UMA data can have blind spots (users that do
not enable UMA), but this seems like an
acceptable risk
*
When will the feature be removed?
o
We propose to remove support for this BMP
extension in Chrome 145 (which is tentatively
scheduled to branch on January 12, 2026, and
release to the Stable channel on Feb 10, 2026).
*
What is the suggested alternative?
o
Please use PNG and/or JPEG images **directly**
rather than embedding them inside a BMP format.
Other notes:
*
We don’t plan to explicitly coordinate with other web
rendering engines, because other browsers do not
support this feature.
*
We don’t plan for a deprecation period, because there
is no known usage (based on UMA
<https://crbug.com/452667935>) and explicit warnings
(on Mozilla Developer Network
<https://developer.mozilla.org/en-US/docs/Web/Media/Guides/Formats/Image_types#bmp_bitmap_file>)
advise against using BMP in general, and this BMP
extension specifically (calling it only “theoretically
supported”)
Best regards,
Lukasz Anforowicz (on behalf of the Chrome Memory Safety
and the Skia teams)
--
You received this message because you are subscribed to
the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7BWekqoM-92v_%2B5Cu1HroB7zhM1uGDh6kH9gOiyfyi7RO%2B8A%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7BWekqoM-92v_%2B5Cu1HroB7zhM1uGDh6kH9gOiyfyi7RO%2B8A%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA_NCUEKovTrNh%3DWRXP7vbP59ivYS3HcauJevD68PmW02bTtVQ%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA_NCUEKovTrNh%3DWRXP7vbP59ivYS3HcauJevD68PmW02bTtVQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c1db9fc4-b19b-465e-97d7-32055b87b96f%40gmail.com.
