Enterprise review is now requested. Though personally with UMA at literally 0 on stable I suspect they won't want the noise of adding it to release notes.
LGTM3 On Mon, Dec 15, 2025 at 9:41 AM Mike Taylor <[email protected]> wrote: > Can you also request the Enterprise bit? I think they would probably want > this to appear in release notes. Happy to give a third LGTM once that's > done. > On 12/12/25 3:23 p.m., Daniel Bratell wrote: > > LGTM2 - It seems to have ended up on our lists in chromestatus when I put > my LGTM there, but you should also trigger the other reviews (or make them > N/A if you think that is appropriate). Privacy, testing, enterprise, and so > on. > > I guess there is a non-zero risk that there is some important application > using this but the risk must be extremely close to zero. I don't even know > of a way to create such files, and quickly searching the web didn't tell me > anything either. > > /Daniel > On 2025-12-12 19:27, Łukasz Anforowicz wrote: > > On Fri, Dec 12, 2025 at 1:34 AM Philip Jägenstedt <[email protected]> > wrote: > >> Hmm, I went to approve it in chromestatus as well, but >> https://chromestatus.com/feature/5153489630134272 looks like it's not >> been updated. Can you update that entry and then resend the email so that >> entry and emails are properly linked? >> >> Sorry about that. I went ahead and entered 145 as the shipping > milestone. And I set the Finch feature name. Is there any other > information and/or fields that I should add to the Chrome status entry? > > >> On Fri, Dec 12, 2025 at 10:32 AM Philip Jägenstedt <[email protected]> >> wrote: >> >>> LGTM1, if it's not supported in Firefox or Safari and we cannot detect >>> any usage via UMA, this is very likely safe from a web compat perspective. >>> As long as it's Finch-controllable we can revert it if serious breakage >>> does surface to give time for migration. >>> >>> On Thu, Dec 11, 2025 at 7:54 PM Łukasz Anforowicz <[email protected]> >>> wrote: >>> >>>> Hello, >>>> >>>> BMP image decoder that ships in Chromium/Blink is capable of decoding >>>> JPEG and/or PNG images embedded inside BMP (in addition to the typical RLE >>>> or other basic BMP encodings). In >>>> https://chromestatus.com/feature/5153489630134272 we propose to remove >>>> this BMP extension, tracking this work with https://crbug.com/456842524 >>>> . >>>> >>>> Answering the questions from >>>> https://www.chromium.org/blink/launching-features/#feature-deprecations >>>> : >>>> >>>> - >>>> >>>> Why are we removing this feature?: >>>> - >>>> >>>> Security: Since 2019, we've been presented with compelling >>>> evidence >>>> >>>> <https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html> >>>> that surprising and rarely-used support for nesting formats is a >>>> path to >>>> security bugs. Such a possibility is especially worrying for BMP, >>>> which is >>>> otherwise considered a pretty simple format. >>>> - >>>> >>>> Code health: Removing code is expected to improve code health. >>>> Additionally, removing this corner-case will simplify migrating >>>> >>>> <https://docs.google.com/document/d/1fc7KI1AhvCOLZhAStg_jIQLlCA3aCZP4vhgFlLn1ZTk/edit?usp=sharing> >>>> the BMP decoder to a memory-safe language. >>>> - >>>> >>>> Interoperability: >>>> - >>>> >>>> Removing this BMP extension will improve >>>> interoperability/consistency across browsers, because today only >>>> Chrome >>>> supports this BMP extension: >>>> - >>>> >>>> Manual testing of browser support is possible by visiting >>>> >>>> https://entropymine.com/jason/bmpsuite/bmpsuite/html/bmpsuite.html >>>> and looking at the result of rendering `q/rgb24jpeg.bmp` and >>>> `q/rgb24png.bmp` >>>> - >>>> >>>> Chrome 141.0.7390.134: rendered okay >>>> - >>>> >>>> Support for JPEG/PNG-in-BMP was added >>>> >>>> <https://chromium-review.googlesource.com/c/chromium/src/+/1777120> >>>> in 2019, in Chrome 78.0.3899.0 >>>> >>>> <https://chromiumdash.appspot.com/commit/8319e7a6dbe63b6ef04c3cfe75f0df1947b00fb0> >>>> - >>>> >>>> IIUC there was no Blink Intent for this addition + the >>>> main motivation was covering all files from the BMP test >>>> suite (I note that >>>> these 2 test inputs are in a “q” directory which was >>>> expanded to >>>> “questionable” when adding >>>> >>>> <https://chromium-review.googlesource.com/c/chromium/src/+/5269009> >>>> the test inputs to Chromium). >>>> - >>>> >>>> Firefox 143.0.4 and 144.0.2: not rendered >>>> - >>>> >>>> Safari 18.6: not rendered >>>> - >>>> >>>> There is no official spec: >>>> - >>>> >>>> >>>> >>>> https://developer.mozilla.org/en-US/docs/Web/Media/Guides/Formats/Image_types >>>> >>>> <https://developer.mozilla.org/en-US/docs/Web/Media/Guides/Formats/Image_types#bmp_bitmap_file> >>>> says: >>>> - >>>> >>>> “No specification; however, Microsoft provides general >>>> documentation of the format at >>>> docs.microsoft.com/en-us/windows/desktop/gdi/bitmap-storage >>>> ” >>>> - >>>> >>>> “Warning: You should typically avoid using BMP files >>>> for website content. The most common form of BMP file >>>> represents the data >>>> as an uncompressed raster image, resulting in large file >>>> sizes compared to >>>> png or jpg image types. More efficient BMP formats exist >>>> but are not widely >>>> used, and rarely supported in web browsers.” >>>> - >>>> >>>> “Theoretically, several compression algorithms are >>>> supported, and the image data can also be stored in JPEG or >>>> PNG format >>>> within the BMP file.” >>>> - >>>> >>>> >>>> >>>> https://learn.microsoft.com/en-us/windows/win32/gdi/jpeg-and-png-extensions-for-specific-bitmap-functions-and-structures >>>> says: >>>> - >>>> >>>> “This [JPEG-and-PNG-in-BMP] extension is not intended >>>> as a means to supply general JPEG and PNG decompression to >>>> applications, >>>> but rather to allow applications to send JPEG- and >>>> PNG-compressed images >>>> directly to printers having hardware support for JPEG and >>>> PNG images.” >>>> - >>>> >>>> What is the cost of removing this feature? >>>> - >>>> >>>> No usage has been registered via a recently added UMA data: >>>> https://crbug.com/452667935 >>>> - >>>> >>>> UMA data gathered in https://crbug.com/452667935 for M143 >>>> shows no usage in Canary/Dev, Beta, not Stable release channels >>>> (not just >>>> minimal usage, but no usage whatsoever) >>>> - >>>> >>>> UMA data can have blind spots (users that do not enable UMA), >>>> but this seems like an acceptable risk >>>> - >>>> >>>> When will the feature be removed? >>>> - >>>> >>>> We propose to remove support for this BMP extension in Chrome >>>> 145 (which is tentatively scheduled to branch on January 12, 2026, >>>> and >>>> release to the Stable channel on Feb 10, 2026). >>>> - >>>> >>>> What is the suggested alternative? >>>> - >>>> >>>> Please use PNG and/or JPEG images **directly** rather than >>>> embedding them inside a BMP format. >>>> >>>> >>>> Other notes: >>>> >>>> - >>>> >>>> We don’t plan to explicitly coordinate with other web rendering >>>> engines, because other browsers do not support this feature. >>>> - >>>> >>>> We don’t plan for a deprecation period, because there is no known >>>> usage (based on UMA <https://crbug.com/452667935>) and explicit >>>> warnings (on Mozilla Developer Network >>>> >>>> <https://developer.mozilla.org/en-US/docs/Web/Media/Guides/Formats/Image_types#bmp_bitmap_file>) >>>> advise against using BMP in general, and this BMP extension specifically >>>> (calling it only “theoretically supported”) >>>> >>>> >>>> Best regards, >>>> >>>> Lukasz Anforowicz (on behalf of the Chrome Memory Safety and the Skia >>>> teams) >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7BWekqoM-92v_%2B5Cu1HroB7zhM1uGDh6kH9gOiyfyi7RO%2B8A%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK7BWekqoM-92v_%2B5Cu1HroB7zhM1uGDh6kH9gOiyfyi7RO%2B8A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA_NCUEKovTrNh%3DWRXP7vbP59ivYS3HcauJevD68PmW02bTtVQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA_NCUEKovTrNh%3DWRXP7vbP59ivYS3HcauJevD68PmW02bTtVQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c1db9fc4-b19b-465e-97d7-32055b87b96f%40gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c1db9fc4-b19b-465e-97d7-32055b87b96f%40gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/97d28733-f93a-40cb-a9c8-d5126c879853%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/97d28733-f93a-40cb-a9c8-d5126c879853%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY-LSzMWsAniSczsNSvMrRhSP0-8UCv96ha5Fxt-vBdNEg%40mail.gmail.com.
