Intent to Implement and Ship: SVGImageElement.crossOrigin attribute.

68 views
Skip to first unread message

Dale Curtis

unread,
Aug 18, 2023, 5:28:12 PM8/18/23
to blink-dev, f...@opera.com

Contact emails

dalec...@chromium.org

Explainer

None

Specification

https://www.w3.org/TR/SVG

Summary

Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute



Blink component

Blink>SVG

Search tags

svgcrossoriginimage

TAG review

None

TAG review status

Not applicable

Risks



Interoperability and Compatibility

None



Gecko: Shipped/Shipping (https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin#browser_compatibility)

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/241)

Web developers: Positive

Other signals:

Security

The default value of the crossOrigin attribute is "anonymous", both Safari and Chrome currently treat the missing attribute as "no cors". Due to the default value change, content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the server was already supplying the correct Access-Control-Allow-Origin header.



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

Flag name on chrome://flags

None

Finch feature name

SvgCrossOriginAttribute

Non-finch justification

Minor attribute addition.



Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=842321

Launch bug

https://bugs.chromium.org/p/chromium/issues/detail?id=842321

Estimated milestones

Shipping on desktop118
Shipping on Android118


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5109030850134016

Yoav Weiss

unread,
Aug 20, 2023, 10:36:12 PM8/20/23
to Dale Curtis, blink-dev, f...@opera.com
Thanks for working on this!! Eliminating resources which can't be loaded as CORS enabled resources is super useful! 

On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis <dalec...@chromium.org> wrote:

Contact emails

dalec...@chromium.org

Explainer

None

Specification

https://www.w3.org/TR/SVG

Summary

Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute



Blink component

Blink>SVG

Search tags

svgcrossoriginimage

TAG review

None

TAG review status

Not applicable

Risks



Interoperability and Compatibility

None


I believe content that already has a crossorigin attribute, but where the servers didn't send ACAO would now be blocked.
Can we add a usecounter for that case, and monitor it as part of the rollout?


According to MDN, that's a fairly recent change. Do you know if it ran into any compat issues? 
 

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/241)

Web developers: Positive

Other signals:

Security

The default value of the crossOrigin attribute is "anonymous", both Safari and Chrome currently treat the missing attribute as "no cors". Due to the default value change, content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the server was already supplying the correct Access-Control-Allow-Origin header.



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

Link to wpt.fyi that shows Firefox passing the tests currently?
 


Flag name on chrome://flags

None

Finch feature name

SvgCrossOriginAttribute

Non-finch justification

Minor attribute addition.



Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=842321

Launch bug

https://bugs.chromium.org/p/chromium/issues/detail?id=842321

Estimated milestones

Shipping on desktop118
Shipping on Android118


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5109030850134016

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwdovYUciES4qqjJ3PckFOvc_6yzBVn_b4uKyuA9xwbv6Q%40mail.gmail.com.

Fredrik Söderquist

unread,
Aug 21, 2023, 4:24:09 AM8/21/23
to Yoav Weiss, Dale Curtis, blink-dev
On Mon, Aug 21, 2023 at 4:36 AM Yoav Weiss <yoav...@chromium.org> wrote:
Thanks for working on this!! Eliminating resources which can't be loaded as CORS enabled resources is super useful! 

On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis <dalec...@chromium.org> wrote:

Contact emails

dalec...@chromium.org

Explainer

None

Specification

https://www.w3.org/TR/SVG

Summary

Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute


This should probably rather point to https://www.w3.org/TR/SVG/embedded.html#__svg__SVGImageElement__crossOrigin since - for <image> this only affects/adds the IDL attribute while the content attribute has been supported for a long time (archeology needed). For <feImage> it would be both though.
 



Blink component

Blink>SVG

Search tags

svgcrossoriginimage

TAG review

None

TAG review status

Not applicable

Risks



Interoperability and Compatibility

None


I believe content that already has a crossorigin attribute, but where the servers didn't send ACAO would now be blocked.

Should only affect <feImage>, not <image>.

Dale Curtis

unread,
Aug 21, 2023, 12:41:48 PM8/21/23
to Yoav Weiss, blink-dev, f...@opera.com, long...@gmail.com
I don't. Nothing is called out on the implementation issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1240357

+long...@gmail.com who authored the Firefox change in case they want to weigh in.
 
 

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/241)

Web developers: Positive

Other signals:

Security

The default value of the crossOrigin attribute is "anonymous", both Safari and Chrome currently treat the missing attribute as "no cors". Due to the default value change, content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the server was already supplying the correct Access-Control-Allow-Origin header.


fs pointed out that this is confusingly worded. I've rephrased it as:
"Content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the client side element has a crossOrigin attribute and the server was already supplying the correct Access-Control-Allow-Origin header."
 


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

Link to wpt.fyi that shows Firefox passing the tests currently?

Dale Curtis

unread,
Aug 21, 2023, 12:42:16 PM8/21/23
to Fredrik Söderquist, Yoav Weiss, blink-dev
On Mon, Aug 21, 2023 at 1:24 AM Fredrik Söderquist <f...@opera.com> wrote:
On Mon, Aug 21, 2023 at 4:36 AM Yoav Weiss <yoav...@chromium.org> wrote:
Thanks for working on this!! Eliminating resources which can't be loaded as CORS enabled resources is super useful! 

On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis <dalec...@chromium.org> wrote:

Contact emails

dalec...@chromium.org

Explainer

None

Specification

https://www.w3.org/TR/SVG

Summary

Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute


This should probably rather point to https://www.w3.org/TR/SVG/embedded.html#__svg__SVGImageElement__crossOrigin since - for <image> this only affects/adds the IDL attribute while the content attribute has been supported for a long time (archeology needed). For <feImage> it would be both though.

Done on the chromestatus side.

Dale Curtis

unread,
Aug 28, 2023, 12:16:36 PM8/28/23
to Yoav Weiss, blink-dev, f...@opera.com, long...@gmail.com
Robert indicated privately that Firefox hasn't seen any issues with roll out thus far.
WebKit indicates they're likely to mark this as supported shortly: https://github.com/WebKit/standards-positions/issues/241#issuecomment-1693613454

Yoav Weiss

unread,
Aug 30, 2023, 10:25:20 AM8/30/23
to Dale Curtis, blink-dev, f...@opera.com, long...@gmail.com
LGTM1 to ship, with a base flag to ensure we can rollback if needed.

Daniel Bratell

unread,
Aug 30, 2023, 11:23:56 AM8/30/23
to Yoav Weiss, Dale Curtis, blink-dev, f...@opera.com, long...@gmail.com

Chris Harrelson

unread,
Aug 30, 2023, 11:24:48 AM8/30/23
to Daniel Bratell, Yoav Weiss, Dale Curtis, blink-dev, f...@opera.com, long...@gmail.com

Dale Curtis

unread,
Aug 30, 2023, 1:03:46 PM8/30/23
to Chris Harrelson, Daniel Bratell, Yoav Weiss, blink-dev, f...@opera.com, long...@gmail.com
Reply all
Reply to author
Forward
0 new messages