Note: This is being pushed back to M150, but retains the same goals/platforms as before.
~ Ari Chivukula (Their/There/They're) On Tue, May 5, 2026 at 8:01 AM Daniel Bratell <[email protected]> wrote: > LGTM3 > > /Daniel > On 2026-05-04 21:06, Chris Harrelson wrote: > > LGTM2 > > On Mon, May 4, 2026 at 11:56 AM 'Dan Clark' via blink-dev < > [email protected]> wrote: > >> It looks like Safari is failing a couple of the new tests: >> https://wpt.fyi/results/svg/styling?label=master&label=experimental&aligned&q=svg-filter-render >> But they seem to fail because the image isn't rendered rather than >> because the blur is being applied. So maybe this is a test issue, rather >> than an indication that Safari hasn't shipped the behavior? >> >> >> On Monday, May 4, 2026 at 11:39:27 AM UTC-7 [email protected] wrote: >> >>> LGTM1 under the condition we have good tests for this case and updated >>> spec text (even if it's a PR). >>> >>> On Wednesday, April 29, 2026 at 8:34:58 AM UTC-7 Ari Chivukula wrote: >>> >>>> These just got picked upstream so results might take a bit: >>>> https://github.com/web-platform-tests/wpt/pull/59522 >>>> >>>> I consider this a security fix with some room for alternate solutions >>>> (e.g., restricting the set of SVG filters allowed instead of blocking all >>>> of them), but a real need to patch in the meantime. >>>> >>>> ~ Ari Chivukula (Their/There/They're) >>>> >>>> >>>> On Wed, Apr 29, 2026 at 11:21 AM Philip Jägenstedt <[email protected]> >>>> wrote: >>>> >>> Hi Ari, >>>>> >>>>> Can you link the tests on wpt.fyi? Using part of the pattern you >>>>> provided, >>>>> https://wpt.fyi/results/?label=master&label=experimental&aligned&q=svg-filter-render >>>>> does not list any tests. I'm looking to see if the tests already pass in >>>>> Safari as you'd expect if they're already shipping this behavior. >>>>> >>>>> https://github.com/w3c/csswg-drafts/pull/13846 was opened only >>>>> yesterday, has there been any discussion in the CSSWG? Or would you >>>>> consider this a bugfix without much room for different solutions? >>>>> >>>>> Best regards, >>>>> Philip >>>>> >>>>> On Tue, Apr 28, 2026 at 4:06 PM Chromestatus < >>>>> [email protected]> wrote: >>>>> >>>> *Contact emails* >>>>>> [email protected] >>>>>> >>>>>> *Explainer* >>>>>> *No information provided* >>>>>> >>>>>> *Specification* >>>>>> https://github.com/w3c/csswg-drafts/pull/13846 >>>>>> >>>>>> *Summary* >>>>>> This launch prevents SVG filters from being applied to >>>>>> cross-origin/restricted iframes (e.g., sandboxed ones) and embedded >>>>>> plugins >>>>>> (e.g., pdfs). When a frame/plugin would be painted with an SVG filter >>>>>> effect, the effect tree is traversed to find the highest ancestor without >>>>>> SVG filters, and that effect is then applied instead. >>>>>> >>>>>> *Blink component* >>>>>> Blink>SVG >>>>>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESVG%22> >>>>>> >>>>>> *Web Feature ID* >>>>>> svg-filters <https://webstatus.dev/features/svg-filters> >>>>>> >>>>>> *Motivation* >>>>>> SVG clickjacking (https://lyra.horse/blog/2025/12/svg-clickjacking/) >>>>>> is a new spin on clickjacking which uses dynamic SVG filters to disguise >>>>>> content and manipulate users into taking actions they might not >>>>>> otherwise. >>>>>> Additionally, we would like to further restrict timing attacks ( >>>>>> https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf) >>>>>> involving SVG filters. >>>>>> >>>>>> *Initial public proposal* >>>>>> *No information provided* >>>>>> >>>>>> *TAG review* >>>>>> Not applicable, this isn’t adding a new feature but disabling one we >>>>>> perhaps should not have supported. >>>>>> >>>>>> *TAG review status* >>>>>> Not applicable >>>>>> >>>>>> *Goals for experimentation* >>>>>> None >>>>>> >>>>>> *Risks* >>>>>> >>>>>> >>>>>> *Interoperability and Compatibility* >>>>>> *No information provided* >>>>>> >>>>>> *Gecko*: Under consideration ( >>>>>> https://github.com/mozilla/standards-positions/issues/1395) Currently >>>>>> allows SVG filters on all iframes/plugins. >>>>>> >>>>>> *WebKit*: Shipped/Shipping ( >>>>>> https://github.com/WebKit/standards-positions/issues/654) Currently >>>>>> disables SVG filters on plugins and cross-origin iframes, but allows them >>>>>> on same-origin iframes. >>>>>> >>>>>> *Web developers*: No signals >>>>>> >>>>>> *Other signals*: >>>>>> >>>>>> *WebView application risks* >>>>>> >>>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>>> that it has potentially high risk for Android WebView-based applications? >>>>>> *No information provided* >>>>>> >>>>>> >>>>>> *Debuggability* >>>>>> *No information provided* >>>>>> >>>>>> *Will this feature be supported on all six Blink platforms (Windows, >>>>>> Mac, Linux, ChromeOS, Android, and Android WebView)?* >>>>>> Yes >>>>>> This impacts all platforms using blink. >>>>>> >>>>>> *Is this feature fully tested by web-platform-tests >>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >>>>>> Yes >>>>>> svg/styling/svg-filter-render-*.tentative.https.html provides >>>>>> cross-browser reference tests. >>>>>> >>>>>> *Flag name on about://flags* >>>>>> *No information provided* >>>>>> >>>>>> *Finch feature name* >>>>>> kPreventSvgFilterPaint >>>>>> >>>>>> *Rollout plan* >>>>>> Will ship enabled for all users >>>>>> >>>>>> *Requires code in //chrome?* >>>>>> False >>>>>> >>>>>> *Tracking bug* >>>>>> https://crbug.com/476646486 >>>>>> >>>>>> *Launch bug* >>>>>> https://launch.corp.google.com/launch/4470371 >>>>>> >>>>>> *Measurement* >>>>>> Existing counters track usage: >>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/5828 >>>>>> https://chromestatus.com/metrics/feature/timeline/popularity/5829 >>>>>> >>>>>> *Estimated milestones* >>>>>> Shipping on desktop 149 >>>>>> Shipping on Android 149 >>>>>> Shipping on WebView 149 >>>>>> >>>>>> *Anticipated spec changes* >>>>>> >>>>>> Open questions about a feature may be a source of future web compat >>>>>> or interop issues. Please list open issues (e.g. links to known github >>>>>> issues in the project for the feature specification) whose resolution may >>>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>>> of >>>>>> the API in a non-backward-compatible way). >>>>>> *No information provided* >>>>>> >>>>>> *Link to entry on the Chrome Platform Status* >>>>>> >>>>>> https://chromestatus.com/feature/5117170452398080?gate=4730771102367744 >>>>>> >>>>>> This intent message was generated by Chrome Platform Status >>>>>> <https://chromestatus.com>. >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>> an email to [email protected]. >>>>> >>>>> >>>>>> To view this discussion visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69f0bef1.050a0220.3ab19.0360.GAE%40google.com >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69f0bef1.050a0220.3ab19.0360.GAE%40google.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4bbbf6eb-8bc7-4a09-a2b7-0f554b43347cn%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4bbbf6eb-8bc7-4a09-a2b7-0f554b43347cn%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw941EWV5gUz%3Dwe%3DA2xVoJRZU4NrdoFRRm9-Y4ih%3DH79cQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw941EWV5gUz%3Dwe%3DA2xVoJRZU4NrdoFRRm9-Y4ih%3DH79cQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGpy5DKdzFw_N7EzpebO%3DUGqJfJRr6nhP6%3DMPbLEw11apNyqQg%40mail.gmail.com.
