LGTM1, if it's not supported in Firefox or Safari and we cannot detect any usage via UMA, this is very likely safe from a web compat perspective. As long as it's Finch-controllable we can revert it if serious breakage does surface to give time for migration.
On Thu, Dec 11, 2025 at 7:54 PM Łukasz Anforowicz <[email protected]> wrote: > Hello, > > BMP image decoder that ships in Chromium/Blink is capable of decoding JPEG > and/or PNG images embedded inside BMP (in addition to the typical RLE or > other basic BMP encodings). In > https://chromestatus.com/feature/5153489630134272 we propose to remove > this BMP extension, tracking this work with https://crbug.com/456842524. > > Answering the questions from > https://www.chromium.org/blink/launching-features/#feature-deprecations: > > - > > Why are we removing this feature?: > - > > Security: Since 2019, we've been presented with compelling evidence > > <https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html> > that surprising and rarely-used support for nesting formats is a path to > security bugs. Such a possibility is especially worrying for BMP, which > is > otherwise considered a pretty simple format. > - > > Code health: Removing code is expected to improve code health. > Additionally, removing this corner-case will simplify migrating > > <https://docs.google.com/document/d/1fc7KI1AhvCOLZhAStg_jIQLlCA3aCZP4vhgFlLn1ZTk/edit?usp=sharing> > the BMP decoder to a memory-safe language. > - > > Interoperability: > - > > Removing this BMP extension will improve > interoperability/consistency across browsers, because today only > Chrome > supports this BMP extension: > - > > Manual testing of browser support is possible by visiting > https://entropymine.com/jason/bmpsuite/bmpsuite/html/bmpsuite.html > and looking at the result of rendering `q/rgb24jpeg.bmp` and > `q/rgb24png.bmp` > - > > Chrome 141.0.7390.134: rendered okay > - > > Support for JPEG/PNG-in-BMP was added > > <https://chromium-review.googlesource.com/c/chromium/src/+/1777120> > in 2019, in Chrome 78.0.3899.0 > > <https://chromiumdash.appspot.com/commit/8319e7a6dbe63b6ef04c3cfe75f0df1947b00fb0> > - > > IIUC there was no Blink Intent for this addition + the > main motivation was covering all files from the BMP test suite > (I note that > these 2 test inputs are in a “q” directory which was expanded > to > “questionable” when adding > > <https://chromium-review.googlesource.com/c/chromium/src/+/5269009> > the test inputs to Chromium). > - > > Firefox 143.0.4 and 144.0.2: not rendered > - > > Safari 18.6: not rendered > - > > There is no official spec: > - > > > > https://developer.mozilla.org/en-US/docs/Web/Media/Guides/Formats/Image_types > > <https://developer.mozilla.org/en-US/docs/Web/Media/Guides/Formats/Image_types#bmp_bitmap_file> > says: > - > > “No specification; however, Microsoft provides general > documentation of the format at > docs.microsoft.com/en-us/windows/desktop/gdi/bitmap-storage > ” > - > > “Warning: You should typically avoid using BMP files for > website content. The most common form of BMP file represents > the data as an > uncompressed raster image, resulting in large file sizes > compared to png or > jpg image types. More efficient BMP formats exist but are not > widely used, > and rarely supported in web browsers.” > - > > “Theoretically, several compression algorithms are > supported, and the image data can also be stored in JPEG or > PNG format > within the BMP file.” > - > > > > https://learn.microsoft.com/en-us/windows/win32/gdi/jpeg-and-png-extensions-for-specific-bitmap-functions-and-structures > says: > - > > “This [JPEG-and-PNG-in-BMP] extension is not intended as a > means to supply general JPEG and PNG decompression to > applications, but > rather to allow applications to send JPEG- and PNG-compressed > images > directly to printers having hardware support for JPEG and PNG > images.” > - > > What is the cost of removing this feature? > - > > No usage has been registered via a recently added UMA data: > https://crbug.com/452667935 > - > > UMA data gathered in https://crbug.com/452667935 for M143 shows > no usage in Canary/Dev, Beta, not Stable release channels (not just > minimal > usage, but no usage whatsoever) > - > > UMA data can have blind spots (users that do not enable UMA), > but this seems like an acceptable risk > - > > When will the feature be removed? > - > > We propose to remove support for this BMP extension in Chrome 145 > (which is tentatively scheduled to branch on January 12, 2026, and > release > to the Stable channel on Feb 10, 2026). > - > > What is the suggested alternative? > - > > Please use PNG and/or JPEG images **directly** rather than > embedding them inside a BMP format. > > > Other notes: > > - > > We don’t plan to explicitly coordinate with other web rendering > engines, because other browsers do not support this feature. > - > > We don’t plan for a deprecation period, because there is no known > usage (based on UMA <https://crbug.com/452667935>) and explicit > warnings (on Mozilla Developer Network > > <https://developer.mozilla.org/en-US/docs/Web/Media/Guides/Formats/Image_types#bmp_bitmap_file>) > advise against using BMP in general, and this BMP extension specifically > (calling it only “theoretically supported”) > > > Best regards, > > Lukasz Anforowicz (on behalf of the Chrome Memory Safety and the Skia > teams) > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7BWekqoM-92v_%2B5Cu1HroB7zhM1uGDh6kH9gOiyfyi7RO%2B8A%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7BWekqoM-92v_%2B5Cu1HroB7zhM1uGDh6kH9gOiyfyi7RO%2B8A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAARdPYedCwsjgQtRiqtUWKaYF%3DDXOLuCJgGFofUKWEBu%3D8Wp5A%40mail.gmail.com.
