On Sun, Aug 20, 2023 at 7:36 PM Yoav Weiss <yoavwe...@chromium.org> wrote:
> Thanks for working on this!! Eliminating resources which can't be loaded > as CORS enabled resources is super useful! > > On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis <dalecur...@chromium.org> > wrote: > >> Contact emailsdalecur...@chromium.org >> >> ExplainerNone >> >> Specificationhttps://www.w3.org/TR/SVG >> >> Summary >> >> Implements the crossOrigin attribute for SVG images: The crossOrigin >> attribute, valid on the <image> and <feImage> elements, provides support >> for configuration of the Cross-Origin Resource Sharing (CORS) requests for >> the element's fetched data. The supported values are the same as elsewhere: >> "anonymous", "use-credentials", and "" (which means anonymous). >> https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin >> https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute >> >> >> Blink componentBlink>SVG >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESVG> >> >> Search tagssvg <https://chromestatus.com/features#tags:svg>, crossorigin >> <https://chromestatus.com/features#tags:crossorigin>, image >> <https://chromestatus.com/features#tags:image> >> >> TAG reviewNone >> >> TAG review statusNot applicable >> >> Risks >> >> >> Interoperability and Compatibility >> >> None >> > > I believe content that already has a crossorigin attribute, but where the > servers didn't send ACAO would now be blocked. > Can we add a usecounter for that case, and monitor it as part of the > rollout? > > >> >> *Gecko*: Shipped/Shipping ( >> https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin#browser_compatibility >> ) >> > > According to MDN, that's a fairly recent change. Do you know if it ran > into any compat issues? > I don't. Nothing is called out on the implementation issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1240357 +longs...@gmail.com who authored the Firefox change in case they want to weigh in. > > >> >> *WebKit*: No signal ( >> https://github.com/WebKit/standards-positions/issues/241) >> >> *Web developers*: Positive >> >> *Other signals*: >> >> Security >> >> The default value of the crossOrigin attribute is "anonymous", both >> Safari and Chrome currently treat the missing attribute as "no cors". Due >> to the default value change, content that was previously inaccessible >> and/or tainted will become accessible without site/developer involvement if >> the server was already supplying the correct Access-Control-Allow-Origin >> header. >> > fs pointed out that this is confusingly worded. I've rephrased it as: "Content that was previously inaccessible and/or tainted will become accessible without site/developer involvement if the client side element has a crossOrigin attribute and the server was already supplying the correct Access-Control-Allow-Origin header." > >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Debuggability >> >> None >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)?Yes >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?Yes >> > > Link to wpt.fyi that shows Firefox passing the tests currently? > Hmm, I linked to them on the chromestatus entry, I guess it doesn't include them here: https://wpt.fyi/results/svg/embedded/image-crossorigin.sub.html?label=master&label=experimental&aligned https://wpt.fyi/results/webcodecs/videoFrame-construction.crossOriginSource.sub.html?label=master&label=experimental&aligned > > >> >> >> Flag name on chrome://flagsNone >> >> Finch feature nameSvgCrossOriginAttribute >> >> Non-finch justification >> >> Minor attribute addition. >> >> >> Requires code in //chrome?False >> >> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=842321 >> >> Launch bughttps://bugs.chromium.org/p/chromium/issues/detail?id=842321 >> >> Estimated milestones >> Shipping on desktop 118 >> Shipping on Android 118 >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> None >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5109030850134016 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwdovYUciES4qqjJ3PckFOvc_6yzBVn_b4uKyuA9xwbv6Q%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwdovYUciES4qqjJ3PckFOvc_6yzBVn_b4uKyuA9xwbv6Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwe2CjFynQXVEcbtHTa%2BxWZMdJTZytv8Fiiyc5NQsQpkYA%40mail.gmail.com.
