Contact emails [email protected]
Explainer No information provided Specification https://github.com/w3c/csswg-drafts/pull/13846 Summary This launch prevents SVG filters from being applied to cross-origin/restricted iframes (eg, sandboxed ones) and embedded plugins (eg, pdfs). When a frame/plugin would be painted with an SVG filter effect, the effect tree is traversed to find the highest ancestor without SVG filters, and that effect is then applied instead. Blink component Blink>SVG Web Feature ID svg-filters Motivation SVG clickjacking (https://lyra.horse/blog/2025/12/svg-clickjacking/) is a new spin on clickjacking which uses dynamic SVG filters to disguise content and manipulate users into taking actions they might not otherwise. Additionally, we would like to further restrict timing attacks (https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf) involving SVG filters. Initial public proposal No information provided TAG review Not applicable, this isn't adding a new feature but disabling one we perhaps should not have supported. TAG review status Not applicable Goals for experimentation None Risks Interoperability and Compatibility No information provided Gecko: Under consideration (https://github.com/mozilla/standards-positions/issues/1395) Currently allows SVG filters on all iframes/plugins. WebKit: Shipped/Shipping (https://github.com/WebKit/standards-positions/issues/654) Currently disables SVG filters on plugins and cross-origin iframes, but allows them on same-origin iframes. Web developers: No signals Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No information provided Debuggability No information provided Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? Yes This impacts all platforms using blink. Is this feature fully tested by web-platform-tests? Yes svg/styling/svg-filter-render-*.tentative.https.html provides cross-browser reference tests. Flag name on about://flags No information provided Finch feature name kPreventSvgFilterPaint Rollout plan Will ship enabled for all users Requires code in //chrome? False Tracking bug https://crbug.com/476646486 Launch bug https://launch.corp.google.com/launch/4470371 Measurement Existing counters track usage: https://chromestatus.com/metrics/feature/timeline/popularity/5828 https://chromestatus.com/metrics/feature/timeline/popularity/5829 Estimated milestones Shipping on desktop 149 Shipping on Android 149 Shipping on WebView 149 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (eg links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (eg, changing to naming or structure of the API in a non-backward-compatible way). No information provided Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5117170452398080?gate=4730771102367744 This intent message was generated by Chrome Platform Status. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69f0bef1.050a0220.3ab19.0360.GAE%40google.com.
