Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute
None
The default value of the crossOrigin attribute is "anonymous", both Safari and Chrome currently treat the missing attribute as "no cors". Due to the default value change, content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the server was already supplying the correct Access-Control-Allow-Origin header.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
None
Minor attribute addition.
Shipping on desktop | 118 |
Shipping on Android | 118 |
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
NoneContact emails
dalec...@chromium.orgExplainer
NoneSpecification
https://www.w3.org/TR/SVGSummary
Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute
Blink component
Blink>SVGSearch tags
svg, crossorigin, imageTAG review
NoneTAG review status
Not applicableRisks
Interoperability and Compatibility
None
Gecko: Shipped/Shipping (https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin#browser_compatibility)
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/241)
Web developers: Positive
Other signals:Security
The default value of the crossOrigin attribute is "anonymous", both Safari and Chrome currently treat the missing attribute as "no cors". Due to the default value change, content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the server was already supplying the correct Access-Control-Allow-Origin header.
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Debuggability
None
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
YesIs this feature fully tested by web-platform-tests?
Yes
Flag name on chrome://flags
NoneFinch feature name
SvgCrossOriginAttributeNon-finch justification
Minor attribute addition.
Requires code in //chrome?
FalseTracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=842321Launch bug
https://bugs.chromium.org/p/chromium/issues/detail?id=842321Estimated milestones
Shipping on desktop 118
Shipping on Android 118 Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
NoneLink to entry on the Chrome Platform Status
https://chromestatus.com/feature/5109030850134016
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwdovYUciES4qqjJ3PckFOvc_6yzBVn_b4uKyuA9xwbv6Q%40mail.gmail.com.
Thanks for working on this!! Eliminating resources which can't be loaded as CORS enabled resources is super useful!On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis <dalec...@chromium.org> wrote:Contact emails
dalec...@chromium.orgExplainer
NoneSpecification
https://www.w3.org/TR/SVGSummary
Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute
Blink component
Blink>SVGSearch tags
svg, crossorigin, imageTAG review
NoneTAG review status
Not applicableRisks
Interoperability and Compatibility
None
I believe content that already has a crossorigin attribute, but where the servers didn't send ACAO would now be blocked.
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/241)
Web developers: Positive
Other signals:Security
The default value of the crossOrigin attribute is "anonymous", both Safari and Chrome currently treat the missing attribute as "no cors". Due to the default value change, content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the server was already supplying the correct Access-Control-Allow-Origin header.
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Debuggability
None
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
YesIs this feature fully tested by web-platform-tests?
YesLink to wpt.fyi that shows Firefox passing the tests currently?
On Mon, Aug 21, 2023 at 4:36 AM Yoav Weiss <yoav...@chromium.org> wrote:Thanks for working on this!! Eliminating resources which can't be loaded as CORS enabled resources is super useful!On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis <dalec...@chromium.org> wrote:Contact emails
dalec...@chromium.orgExplainer
NoneSpecification
https://www.w3.org/TR/SVGSummary
Implements the crossOrigin attribute for SVG images: The crossOrigin attribute, valid on the <image> and <feImage> elements, provides support for configuration of the Cross-Origin Resource Sharing (CORS) requests for the element's fetched data. The supported values are the same as elsewhere: "anonymous", "use-credentials", and "" (which means anonymous). https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute
This should probably rather point to https://www.w3.org/TR/SVG/embedded.html#__svg__SVGImageElement__crossOrigin since - for <image> this only affects/adds the IDL attribute while the content attribute has been supported for a long time (archeology needed). For <feImage> it would be both though.
LGTM2
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVuZxs7AGfPz23oVfPCnxQQ5Wk7F0tVAuc3WmQhe9zipw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/8f5813e3-38c4-b036-15d4-2248f15be6e6%40gmail.com.