LGTM3
/Daniel
On 2026-05-04 21:06, Chris Harrelson wrote:
LGTM2
On Mon, May 4, 2026 at 11:56 AM 'Dan Clark' via blink-dev
<[email protected]> wrote:
It looks like Safari is failing a couple of the new tests:
https://wpt.fyi/results/svg/styling?label=master&label=experimental&aligned&q=svg-filter-render
<https://wpt.fyi/results/svg/styling?label=master&label=experimental&aligned&q=svg-filter-render>
But they seem to fail because the image isn't rendered rather than
because the blur is being applied. So maybe this is a test issue,
rather than an indication that Safari hasn't shipped the behavior?
On Monday, May 4, 2026 at 11:39:27 AM UTC-7 [email protected]
wrote:
LGTM1 under the condition we have good tests for this case and
updated spec text (even if it's a PR).
On Wednesday, April 29, 2026 at 8:34:58 AM UTC-7 Ari Chivukula
wrote:
These just got picked upstream so results might take a
bit: https://github.com/web-platform-tests/wpt/pull/59522
I consider this a security fix with some room for
alternate solutions (e.g., restricting the set of SVG
filters allowed instead of blocking all of them), but a
real need to patch in the meantime.
~ Ari Chivukula (Their/There/They're)
On Wed, Apr 29, 2026 at 11:21 AM Philip Jägenstedt
<[email protected]> wrote:
Hi Ari,
Can you link the tests on wpt.fyi? Using part of the
pattern you provided,
https://wpt.fyi/results/?label=master&label=experimental&aligned&q=svg-filter-render
<https://wpt.fyi/results/?label=master&label=experimental&aligned&q=svg-filter-render>
does not list any tests. I'm looking to see if the
tests already pass in Safari as you'd expect if
they're already shipping this behavior.
https://github.com/w3c/csswg-drafts/pull/13846 was
opened only yesterday, has there been any discussion
in the CSSWG? Or would you consider this a bugfix
without much room for different solutions?
Best regards,
Philip
On Tue, Apr 28, 2026 at 4:06 PM Chromestatus
<[email protected]> wrote:
*Contact emails*
[email protected]
*Explainer*
/No information provided/
*Specification*
https://github.com/w3c/csswg-drafts/pull/13846
*Summary*
This launch prevents SVG filters from being
applied to cross-origin/restricted iframes (e.g.,
sandboxed ones) and embedded plugins (e.g., pdfs).
When a frame/plugin would be painted with an SVG
filter effect, the effect tree is traversed to
find the highest ancestor without SVG filters, and
that effect is then applied instead.
*Blink component*
Blink>SVG
<https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESVG%22>
*Web Feature ID*
svg-filters
<https://webstatus.dev/features/svg-filters>
*Motivation*
SVG clickjacking
(https://lyra.horse/blog/2025/12/svg-clickjacking/)
is a new spin on clickjacking which uses dynamic
SVG filters to disguise content and manipulate
users into taking actions they might not
otherwise. Additionally, we would like to further
restrict timing attacks
(https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf)
involving SVG filters.
*Initial public proposal*
/No information provided/
*TAG review*
Not applicable, this isn’t adding a new feature
but disabling one we perhaps should not have
supported.
*TAG review status*
Not applicable
*Goals for experimentation*
None
*Risks*
*Interoperability and Compatibility*
/No information provided/
/Gecko/: Under
consideration
(https://github.com/mozilla/standards-positions/issues/1395) Currently
allows SVG filters on all iframes/plugins.
/WebKit/:
Shipped/Shipping
(https://github.com/WebKit/standards-positions/issues/654) Currently
disables SVG filters on plugins and cross-origin
iframes, but allows them on same-origin iframes.
/Web developers/: No signals
/Other signals/:
*WebView application risks*
Does this intent deprecate or change behavior of
existing APIs, such that it has potentially high
risk for Android WebView-based applications?
/No information provided/
*Debuggability*
/No information provided/
*Will this feature be supported on all six Blink
platforms (Windows, Mac, Linux, ChromeOS, Android,
and Android WebView)?*
Yes
This impacts all platforms using blink.
*Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?*
Yes
svg/styling/svg-filter-render-*.tentative.https.html
provides cross-browser reference tests.
*Flag name on about://flags*
/No information provided/
*Finch feature name*
kPreventSvgFilterPaint
*Rollout plan*
Will ship enabled for all users
*Requires code in //chrome?*
False
*Tracking bug*
https://crbug.com/476646486
*Launch bug*
https://launch.corp.google.com/launch/4470371
*Measurement*
Existing counters track usage:
https://chromestatus.com/metrics/feature/timeline/popularity/5828
https://chromestatus.com/metrics/feature/timeline/popularity/5829
*Estimated milestones*
Shipping on desktop 149
Shipping on Android 149
Shipping on WebView 149
*Anticipated spec changes*
Open questions about a feature may be a source of
future web compat or interop issues. Please list
open issues (e.g. links to known github issues in
the project for the feature specification) whose
resolution may introduce web compat/interop risk
(e.g., changing to naming or structure of the API
in a non-backward-compatible way).
/No information provided/
*Link to entry on the Chrome Platform Status*
https://chromestatus.com/feature/5117170452398080?gate=4730771102367744
This intent message was generated by Chrome
Platform Status <https://chromestatus.com>.
--
You received this message because you are
subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69f0bef1.050a0220.3ab19.0360.GAE%40google.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69f0bef1.050a0220.3ab19.0360.GAE%40google.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4bbbf6eb-8bc7-4a09-a2b7-0f554b43347cn%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4bbbf6eb-8bc7-4a09-a2b7-0f554b43347cn%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw941EWV5gUz%3Dwe%3DA2xVoJRZU4NrdoFRRm9-Y4ih%3DH79cQ%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw941EWV5gUz%3Dwe%3DA2xVoJRZU4NrdoFRRm9-Y4ih%3DH79cQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e1119493-26e0-4f9f-9ae4-03ee8c0bec03%40gmail.com.
