Intent to Ship: Disable SVG filters on plugins and cross-origin/restricted iframes

21 views
Skip to first unread message

Chromestatus

unread,
10:06 AM (4 hours ago) 10:06 AM
to blin...@chromium.org, ari...@chromium.org
Contact emails
ari...@chromium.org

Explainer
No information provided

Specification
https://github.com/w3c/csswg-drafts/pull/13846

Summary
This launch prevents SVG filters from being applied to cross-origin/restricted iframes (e.g., sandboxed ones) and embedded plugins (e.g., pdfs). When a frame/plugin would be painted with an SVG filter effect, the effect tree is traversed to find the highest ancestor without SVG filters, and that effect is then applied instead.

Blink component
Blink>SVG

Web Feature ID
svg-filters

Motivation
SVG clickjacking (https://lyra.horse/blog/2025/12/svg-clickjacking/) is a new spin on clickjacking which uses dynamic SVG filters to disguise content and manipulate users into taking actions they might not otherwise. Additionally, we would like to further restrict timing attacks (https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf) involving SVG filters.

Initial public proposal
No information provided

TAG review
Not applicable, this isn’t adding a new feature but disabling one we perhaps should not have supported.

TAG review status
Not applicable

Goals for experimentation
None

Risks


Interoperability and Compatibility
No information provided

Gecko: Under consideration (https://github.com/mozilla/standards-positions/issues/1395) Currently allows SVG filters on all iframes/plugins.

WebKit: Shipped/Shipping (https://github.com/WebKit/standards-positions/issues/654) Currently disables SVG filters on plugins and cross-origin iframes, but allows them on same-origin iframes.

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No information provided


Debuggability
No information provided

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes
This impacts all platforms using blink.

Is this feature fully tested by web-platform-tests?
Yes
svg/styling/svg-filter-render-*.tentative.https.html provides cross-browser reference tests.

Flag name on about://flags
No information provided

Finch feature name
kPreventSvgFilterPaint

Rollout plan
Will ship enabled for all users

Requires code in //chrome?
False

Tracking bug
https://crbug.com/476646486

Launch bug
https://launch.corp.google.com/launch/4470371

Measurement
Existing counters track usage: https://chromestatus.com/metrics/feature/timeline/popularity/5828 https://chromestatus.com/metrics/feature/timeline/popularity/5829

Estimated milestones
Shipping on desktop149
Shipping on Android149
Shipping on WebView149


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

No information provided

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5117170452398080?gate=4730771102367744

This intent message was generated by Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages