It looks like Safari is failing a couple of the new tests: https://wpt.fyi/results/svg/styling?label=master&label=experimental&aligned&q=svg-filter-render But they seem to fail because the image isn't rendered rather than because the blur is being applied. So maybe this is a test issue, rather than an indication that Safari hasn't shipped the behavior?
On Monday, May 4, 2026 at 11:39:27 AM UTC-7 [email protected] wrote: > LGTM1 under the condition we have good tests for this case and updated > spec text (even if it's a PR). > > On Wednesday, April 29, 2026 at 8:34:58 AM UTC-7 Ari Chivukula wrote: > >> These just got picked upstream so results might take a bit: >> https://github.com/web-platform-tests/wpt/pull/59522 >> >> I consider this a security fix with some room for alternate solutions >> (e.g., restricting the set of SVG filters allowed instead of blocking all >> of them), but a real need to patch in the meantime. >> >> ~ Ari Chivukula (Their/There/They're) >> >> >> On Wed, Apr 29, 2026 at 11:21 AM Philip Jägenstedt <[email protected]> >> wrote: >> > Hi Ari, >>> >>> Can you link the tests on wpt.fyi? Using part of the pattern you >>> provided, >>> https://wpt.fyi/results/?label=master&label=experimental&aligned&q=svg-filter-render >>> >>> does not list any tests. I'm looking to see if the tests already pass in >>> Safari as you'd expect if they're already shipping this behavior. >>> >>> https://github.com/w3c/csswg-drafts/pull/13846 was opened only >>> yesterday, has there been any discussion in the CSSWG? Or would you >>> consider this a bugfix without much room for different solutions? >>> >>> Best regards, >>> Philip >>> >>> On Tue, Apr 28, 2026 at 4:06 PM Chromestatus < >>> [email protected]> wrote: >>> >> *Contact emails* >>>> [email protected] >>>> >>>> *Explainer* >>>> *No information provided* >>>> >>>> *Specification* >>>> https://github.com/w3c/csswg-drafts/pull/13846 >>>> >>>> *Summary* >>>> This launch prevents SVG filters from being applied to >>>> cross-origin/restricted iframes (e.g., sandboxed ones) and embedded >>>> plugins >>>> (e.g., pdfs). When a frame/plugin would be painted with an SVG filter >>>> effect, the effect tree is traversed to find the highest ancestor without >>>> SVG filters, and that effect is then applied instead. >>>> >>>> *Blink component* >>>> Blink>SVG >>>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESVG%22> >>>> >>>> *Web Feature ID* >>>> svg-filters <https://webstatus.dev/features/svg-filters> >>>> >>>> *Motivation* >>>> SVG clickjacking (https://lyra.horse/blog/2025/12/svg-clickjacking/) >>>> is a new spin on clickjacking which uses dynamic SVG filters to disguise >>>> content and manipulate users into taking actions they might not otherwise. >>>> Additionally, we would like to further restrict timing attacks ( >>>> https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf) >>>> >>>> involving SVG filters. >>>> >>>> *Initial public proposal* >>>> *No information provided* >>>> >>>> *TAG review* >>>> Not applicable, this isn’t adding a new feature but disabling one we >>>> perhaps should not have supported. >>>> >>>> *TAG review status* >>>> Not applicable >>>> >>>> *Goals for experimentation* >>>> None >>>> >>>> *Risks* >>>> >>>> >>>> *Interoperability and Compatibility* >>>> *No information provided* >>>> >>>> *Gecko*: Under consideration ( >>>> https://github.com/mozilla/standards-positions/issues/1395) Currently >>>> allows SVG filters on all iframes/plugins. >>>> >>>> *WebKit*: Shipped/Shipping ( >>>> https://github.com/WebKit/standards-positions/issues/654) Currently >>>> disables SVG filters on plugins and cross-origin iframes, but allows them >>>> on same-origin iframes. >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: >>>> >>>> *WebView application risks* >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> *No information provided* >>>> >>>> >>>> *Debuggability* >>>> *No information provided* >>>> >>>> *Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, ChromeOS, Android, and Android WebView)?* >>>> Yes >>>> This impacts all platforms using blink. >>>> >>>> *Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >>>> Yes >>>> svg/styling/svg-filter-render-*.tentative.https.html provides >>>> cross-browser reference tests. >>>> >>>> *Flag name on about://flags* >>>> *No information provided* >>>> >>>> *Finch feature name* >>>> kPreventSvgFilterPaint >>>> >>>> *Rollout plan* >>>> Will ship enabled for all users >>>> >>>> *Requires code in //chrome?* >>>> False >>>> >>>> *Tracking bug* >>>> https://crbug.com/476646486 >>>> >>>> *Launch bug* >>>> https://launch.corp.google.com/launch/4470371 >>>> >>>> *Measurement* >>>> Existing counters track usage: >>>> https://chromestatus.com/metrics/feature/timeline/popularity/5828 >>>> https://chromestatus.com/metrics/feature/timeline/popularity/5829 >>>> >>>> *Estimated milestones* >>>> Shipping on desktop 149 >>>> Shipping on Android 149 >>>> Shipping on WebView 149 >>>> >>>> *Anticipated spec changes* >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>> of >>>> the API in a non-backward-compatible way). >>>> *No information provided* >>>> >>>> *Link to entry on the Chrome Platform Status* >>>> https://chromestatus.com/feature/5117170452398080?gate=4730771102367744 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com>. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> >>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>> >>> >>>> To view this discussion visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69f0bef1.050a0220.3ab19.0360.GAE%40google.com >>>> >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69f0bef1.050a0220.3ab19.0360.GAE%40google.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4bbbf6eb-8bc7-4a09-a2b7-0f554b43347cn%40chromium.org.
