LGTM2 On Mon, May 4, 2026 at 11:56 AM 'Dan Clark' via blink-dev < [email protected]> wrote:
> It looks like Safari is failing a couple of the new tests: > https://wpt.fyi/results/svg/styling?label=master&label=experimental&aligned&q=svg-filter-render > But they seem to fail because the image isn't rendered rather than because > the blur is being applied. So maybe this is a test issue, rather than an > indication that Safari hasn't shipped the behavior? > > > On Monday, May 4, 2026 at 11:39:27 AM UTC-7 [email protected] wrote: > >> LGTM1 under the condition we have good tests for this case and updated >> spec text (even if it's a PR). >> >> On Wednesday, April 29, 2026 at 8:34:58 AM UTC-7 Ari Chivukula wrote: >> >>> These just got picked upstream so results might take a bit: >>> https://github.com/web-platform-tests/wpt/pull/59522 >>> >>> I consider this a security fix with some room for alternate solutions >>> (e.g., restricting the set of SVG filters allowed instead of blocking all >>> of them), but a real need to patch in the meantime. >>> >>> ~ Ari Chivukula (Their/There/They're) >>> >>> >>> On Wed, Apr 29, 2026 at 11:21 AM Philip Jägenstedt <[email protected]> >>> wrote: >>> >> Hi Ari, >>>> >>>> Can you link the tests on wpt.fyi? Using part of the pattern you >>>> provided, >>>> https://wpt.fyi/results/?label=master&label=experimental&aligned&q=svg-filter-render >>>> does not list any tests. I'm looking to see if the tests already pass in >>>> Safari as you'd expect if they're already shipping this behavior. >>>> >>>> https://github.com/w3c/csswg-drafts/pull/13846 was opened only >>>> yesterday, has there been any discussion in the CSSWG? Or would you >>>> consider this a bugfix without much room for different solutions? >>>> >>>> Best regards, >>>> Philip >>>> >>>> On Tue, Apr 28, 2026 at 4:06 PM Chromestatus < >>>> [email protected]> wrote: >>>> >>> *Contact emails* >>>>> [email protected] >>>>> >>>>> *Explainer* >>>>> *No information provided* >>>>> >>>>> *Specification* >>>>> https://github.com/w3c/csswg-drafts/pull/13846 >>>>> >>>>> *Summary* >>>>> This launch prevents SVG filters from being applied to >>>>> cross-origin/restricted iframes (e.g., sandboxed ones) and embedded >>>>> plugins >>>>> (e.g., pdfs). When a frame/plugin would be painted with an SVG filter >>>>> effect, the effect tree is traversed to find the highest ancestor without >>>>> SVG filters, and that effect is then applied instead. >>>>> >>>>> *Blink component* >>>>> Blink>SVG >>>>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESVG%22> >>>>> >>>>> *Web Feature ID* >>>>> svg-filters <https://webstatus.dev/features/svg-filters> >>>>> >>>>> *Motivation* >>>>> SVG clickjacking (https://lyra.horse/blog/2025/12/svg-clickjacking/) >>>>> is a new spin on clickjacking which uses dynamic SVG filters to disguise >>>>> content and manipulate users into taking actions they might not otherwise. >>>>> Additionally, we would like to further restrict timing attacks ( >>>>> https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf) >>>>> involving SVG filters. >>>>> >>>>> *Initial public proposal* >>>>> *No information provided* >>>>> >>>>> *TAG review* >>>>> Not applicable, this isn’t adding a new feature but disabling one we >>>>> perhaps should not have supported. >>>>> >>>>> *TAG review status* >>>>> Not applicable >>>>> >>>>> *Goals for experimentation* >>>>> None >>>>> >>>>> *Risks* >>>>> >>>>> >>>>> *Interoperability and Compatibility* >>>>> *No information provided* >>>>> >>>>> *Gecko*: Under consideration ( >>>>> https://github.com/mozilla/standards-positions/issues/1395) Currently >>>>> allows SVG filters on all iframes/plugins. >>>>> >>>>> *WebKit*: Shipped/Shipping ( >>>>> https://github.com/WebKit/standards-positions/issues/654) Currently >>>>> disables SVG filters on plugins and cross-origin iframes, but allows them >>>>> on same-origin iframes. >>>>> >>>>> *Web developers*: No signals >>>>> >>>>> *Other signals*: >>>>> >>>>> *WebView application risks* >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> *No information provided* >>>>> >>>>> >>>>> *Debuggability* >>>>> *No information provided* >>>>> >>>>> *Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, ChromeOS, Android, and Android WebView)?* >>>>> Yes >>>>> This impacts all platforms using blink. >>>>> >>>>> *Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >>>>> Yes >>>>> svg/styling/svg-filter-render-*.tentative.https.html provides >>>>> cross-browser reference tests. >>>>> >>>>> *Flag name on about://flags* >>>>> *No information provided* >>>>> >>>>> *Finch feature name* >>>>> kPreventSvgFilterPaint >>>>> >>>>> *Rollout plan* >>>>> Will ship enabled for all users >>>>> >>>>> *Requires code in //chrome?* >>>>> False >>>>> >>>>> *Tracking bug* >>>>> https://crbug.com/476646486 >>>>> >>>>> *Launch bug* >>>>> https://launch.corp.google.com/launch/4470371 >>>>> >>>>> *Measurement* >>>>> Existing counters track usage: >>>>> https://chromestatus.com/metrics/feature/timeline/popularity/5828 >>>>> https://chromestatus.com/metrics/feature/timeline/popularity/5829 >>>>> >>>>> *Estimated milestones* >>>>> Shipping on desktop 149 >>>>> Shipping on Android 149 >>>>> Shipping on WebView 149 >>>>> >>>>> *Anticipated spec changes* >>>>> >>>>> Open questions about a feature may be a source of future web compat or >>>>> interop issues. Please list open issues (e.g. links to known github issues >>>>> in the project for the feature specification) whose resolution may >>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>> of >>>>> the API in a non-backward-compatible way). >>>>> *No information provided* >>>>> >>>>> *Link to entry on the Chrome Platform Status* >>>>> https://chromestatus.com/feature/5117170452398080?gate=4730771102367744 >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com>. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> >>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>> >>>> >>>>> To view this discussion visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69f0bef1.050a0220.3ab19.0360.GAE%40google.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69f0bef1.050a0220.3ab19.0360.GAE%40google.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4bbbf6eb-8bc7-4a09-a2b7-0f554b43347cn%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4bbbf6eb-8bc7-4a09-a2b7-0f554b43347cn%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw941EWV5gUz%3Dwe%3DA2xVoJRZU4NrdoFRRm9-Y4ih%3DH79cQ%40mail.gmail.com.
