Intent to Implement and Ship: SVGImageElement.crossOrigin attribute.

[Dale Curtis]

Contact emails

dalec...@chromium.org

Explainer

None

Specification

https://www.w3.org/TR/SVG

Summary

Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute

Blink component

Blink>SVG

Search tags

svg, crossorigin, image

TAG review

None

TAG review status

Not applicable

Risks

Interoperability and Compatibility

None

Gecko: Shipped/Shipping (https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin#browser_compatibility)

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/241)

Web developers: Positive

Other signals:

Security

The default value of the crossOrigin attribute is "anonymous", both Safari and Chrome currently treat the missing attribute as "no cors". Due to the default value change, content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the server was already supplying the correct Access-Control-Allow-Origin header.

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None

Debuggability

None

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

Flag name on chrome://flags

None

Finch feature name

SvgCrossOriginAttribute

Non-finch justification

Minor attribute addition.

Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=842321

Launch bug

https://bugs.chromium.org/p/chromium/issues/detail?id=842321

Estimated milestones

Shipping on desktop

118

Shipping on Android

118

Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5109030850134016

[Yoav Weiss]

Thanks for working on this!! Eliminating resources which can't be loaded as CORS enabled resources is super useful! 

On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis <dalec...@chromium.org> wrote:

Contact emails

dalec...@chromium.org

Explainer

None

Specification

https://www.w3.org/TR/SVG

Summary

Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute

Blink component

Blink>SVG

Search tags

svg, crossorigin, image

TAG review

None

TAG review status

Not applicable

Risks

Interoperability and Compatibility

None

I believe content that already has a crossorigin attribute, but where the servers didn't send ACAO would now be blocked.

Can we add a usecounter for that case, and monitor it as part of the rollout?

Gecko: Shipped/Shipping (https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin#browser_compatibility)

According to MDN, that's a fairly recent change. Do you know if it ran into any compat issues? 

 

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/241)

Web developers: Positive

Other signals:

Security

The default value of the crossOrigin attribute is "anonymous", both Safari and Chrome currently treat the missing attribute as "no cors". Due to the default value change, content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the server was already supplying the correct Access-Control-Allow-Origin header.

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None

Debuggability

None

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

Link to wpt.fyi that shows Firefox passing the tests currently?

 

Flag name on chrome://flags

None

Finch feature name

SvgCrossOriginAttribute

Non-finch justification

Minor attribute addition.

Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=842321

Launch bug

https://bugs.chromium.org/p/chromium/issues/detail?id=842321

Estimated milestones

Shipping on desktop

118

Shipping on Android

118

Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5109030850134016

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwdovYUciES4qqjJ3PckFOvc_6yzBVn_b4uKyuA9xwbv6Q%40mail.gmail.com.

[Fredrik Söderquist]

On Mon, Aug 21, 2023 at 4:36 AM Yoav Weiss <yoav...@chromium.org> wrote:

Thanks for working on this!! Eliminating resources which can't be loaded as CORS enabled resources is super useful! 

On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis <dalec...@chromium.org> wrote:

Contact emails

dalec...@chromium.org

Explainer

None

Specification

https://www.w3.org/TR/SVG

Summary

Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute

This should probably rather point to https://www.w3.org/TR/SVG/embedded.html#__svg__SVGImageElement__crossOrigin since - for <image> this only affects/adds the IDL attribute while the content attribute has been supported for a long time (archeology needed). For <feImage> it would be both though.

 

Blink component

Blink>SVG

Search tags

svg, crossorigin, image

TAG review

None

TAG review status

Not applicable

Risks

Interoperability and Compatibility

None

I believe content that already has a crossorigin attribute, but where the servers didn't send ACAO would now be blocked.

Should only affect <feImage>, not <image>.

[Dale Curtis]

I don't. Nothing is called out on the implementation issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1240357

+long...@gmail.com who authored the Firefox change in case they want to weigh in.

 

 

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/241)

Web developers: Positive

Other signals:

Security

The default value of the crossOrigin attribute is "anonymous", both Safari and Chrome currently treat the missing attribute as "no cors". Due to the default value change, content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the server was already supplying the correct Access-Control-Allow-Origin header.

fs pointed out that this is confusingly worded. I've rephrased it as:

"Content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the client side element has a crossOrigin attribute and the server was already supplying the correct Access-Control-Allow-Origin header."

 

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None

Debuggability

None

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

Link to wpt.fyi that shows Firefox passing the tests currently?

Hmm, I linked to them on the chromestatus entry, I guess it doesn't include them here:

https://wpt.fyi/results/svg/embedded/image-crossorigin.sub.html?label=master&label=experimental&aligned https://wpt.fyi/results/webcodecs/videoFrame-construction.crossOriginSource.sub.html?label=master&label=experimental&aligned

[Dale Curtis]

On Mon, Aug 21, 2023 at 1:24 AM Fredrik Söderquist <f...@opera.com> wrote:

On Mon, Aug 21, 2023 at 4:36 AM Yoav Weiss <yoav...@chromium.org> wrote:

Thanks for working on this!! Eliminating resources which can't be loaded as CORS enabled resources is super useful! 

On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis <dalec...@chromium.org> wrote:

Contact emails

dalec...@chromium.org

Explainer

None

Specification

https://www.w3.org/TR/SVG

Summary

Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute

This should probably rather point to https://www.w3.org/TR/SVG/embedded.html#__svg__SVGImageElement__crossOrigin since - for <image> this only affects/adds the IDL attribute while the content attribute has been supported for a long time (archeology needed). For <feImage> it would be both though.

Done on the chromestatus side.

[Dale Curtis]

Robert indicated privately that Firefox hasn't seen any issues with roll out thus far.

 

 

 

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/241)

WebKit indicates they're likely to mark this as supported shortly: https://github.com/WebKit/standards-positions/issues/241#issuecomment-1693613454

[Yoav Weiss]

LGTM1 to ship, with a base flag to ensure we can rollback if needed.

[Daniel Bratell]

LGTM2

/Daniel

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVuZxs7AGfPz23oVfPCnxQQ5Wk7F0tVAuc3WmQhe9zipw%40mail.gmail.com.

[Chris Harrelson]

LGTM3

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/8f5813e3-38c4-b036-15d4-2248f15be6e6%40gmail.com.

[Dale Curtis]

Thanks! Yes it has a base::Feature toggle; one is automatically included:

https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/runtime_enabled_features.json5;l=120;drc=86659902320c9a6ff1083688c928109df3d84f25

https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/runtime_enabled_features.json5;l=3594;drc=86659902320c9a6ff1083688c928109df3d84f25

- dale