LGTM1 under the condition we have good tests for this case and updated spec text (even if it's a PR).
On Wednesday, April 29, 2026 at 8:34:58 AM UTC-7 Ari Chivukula wrote: > These just got picked upstream so results might take a bit: > https://github.com/web-platform-tests/wpt/pull/59522 > > I consider this a security fix with some room for alternate solutions > (e.g., restricting the set of SVG filters allowed instead of blocking all > of them), but a real need to patch in the meantime. > > ~ Ari Chivukula (Their/There/They're) > > > On Wed, Apr 29, 2026 at 11:21 AM Philip Jägenstedt <[email protected]> > wrote: > >> Hi Ari, >> >> Can you link the tests on wpt.fyi? Using part of the pattern you >> provided, >> https://wpt.fyi/results/?label=master&label=experimental&aligned&q=svg-filter-render >> >> does not list any tests. I'm looking to see if the tests already pass in >> Safari as you'd expect if they're already shipping this behavior. >> >> https://github.com/w3c/csswg-drafts/pull/13846 was opened only >> yesterday, has there been any discussion in the CSSWG? Or would you >> consider this a bugfix without much room for different solutions? >> >> Best regards, >> Philip >> >> On Tue, Apr 28, 2026 at 4:06 PM Chromestatus < >> [email protected]> wrote: >> >>> *Contact emails* >>> [email protected] >>> >>> *Explainer* >>> *No information provided* >>> >>> *Specification* >>> https://github.com/w3c/csswg-drafts/pull/13846 >>> >>> *Summary* >>> This launch prevents SVG filters from being applied to >>> cross-origin/restricted iframes (e.g., sandboxed ones) and embedded plugins >>> (e.g., pdfs). When a frame/plugin would be painted with an SVG filter >>> effect, the effect tree is traversed to find the highest ancestor without >>> SVG filters, and that effect is then applied instead. >>> >>> *Blink component* >>> Blink>SVG >>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESVG%22> >>> >>> *Web Feature ID* >>> svg-filters <https://webstatus.dev/features/svg-filters> >>> >>> *Motivation* >>> SVG clickjacking (https://lyra.horse/blog/2025/12/svg-clickjacking/) is >>> a new spin on clickjacking which uses dynamic SVG filters to disguise >>> content and manipulate users into taking actions they might not otherwise. >>> Additionally, we would like to further restrict timing attacks ( >>> https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf) >>> >>> involving SVG filters. >>> >>> *Initial public proposal* >>> *No information provided* >>> >>> *TAG review* >>> Not applicable, this isn’t adding a new feature but disabling one we >>> perhaps should not have supported. >>> >>> *TAG review status* >>> Not applicable >>> >>> *Goals for experimentation* >>> None >>> >>> *Risks* >>> >>> >>> *Interoperability and Compatibility* >>> *No information provided* >>> >>> *Gecko*: Under consideration ( >>> https://github.com/mozilla/standards-positions/issues/1395) Currently >>> allows SVG filters on all iframes/plugins. >>> >>> *WebKit*: Shipped/Shipping ( >>> https://github.com/WebKit/standards-positions/issues/654) Currently >>> disables SVG filters on plugins and cross-origin iframes, but allows them >>> on same-origin iframes. >>> >>> *Web developers*: No signals >>> >>> *Other signals*: >>> >>> *WebView application risks* >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> *No information provided* >>> >>> >>> *Debuggability* >>> *No information provided* >>> >>> *Will this feature be supported on all six Blink platforms (Windows, >>> Mac, Linux, ChromeOS, Android, and Android WebView)?* >>> Yes >>> This impacts all platforms using blink. >>> >>> *Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >>> Yes >>> svg/styling/svg-filter-render-*.tentative.https.html provides >>> cross-browser reference tests. >>> >>> *Flag name on about://flags* >>> *No information provided* >>> >>> *Finch feature name* >>> kPreventSvgFilterPaint >>> >>> *Rollout plan* >>> Will ship enabled for all users >>> >>> *Requires code in //chrome?* >>> False >>> >>> *Tracking bug* >>> https://crbug.com/476646486 >>> >>> *Launch bug* >>> https://launch.corp.google.com/launch/4470371 >>> >>> *Measurement* >>> Existing counters track usage: >>> https://chromestatus.com/metrics/feature/timeline/popularity/5828 >>> https://chromestatus.com/metrics/feature/timeline/popularity/5829 >>> >>> *Estimated milestones* >>> Shipping on desktop 149 >>> Shipping on Android 149 >>> Shipping on WebView 149 >>> >>> *Anticipated spec changes* >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> *No information provided* >>> >>> *Link to entry on the Chrome Platform Status* >>> https://chromestatus.com/feature/5117170452398080?gate=4730771102367744 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com>. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69f0bef1.050a0220.3ab19.0360.GAE%40google.com >>> >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69f0bef1.050a0220.3ab19.0360.GAE%40google.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/a6955e01-0bd6-4dfc-86ea-5c2ff025abaan%40chromium.org.
