On Mon, Aug 21, 2023 at 1:24 AM Fredrik Söderquist <f...@opera.com> wrote:
> On Mon, Aug 21, 2023 at 4:36 AM Yoav Weiss <yoavwe...@chromium.org> wrote: > >> Thanks for working on this!! Eliminating resources which can't be loaded >> as CORS enabled resources is super useful! >> >> On Fri, Aug 18, 2023 at 11:28 PM Dale Curtis <dalecur...@chromium.org> >> wrote: >> >>> Contact emailsdalecur...@chromium.org >>> >>> ExplainerNone >>> >>> Specificationhttps://www.w3.org/TR/SVG >>> >>> Summary >>> >>> Implements the crossOrigin attribute for SVG images: The crossOrigin >>> attribute, valid on the <image> and <feImage> elements, provides support >>> for configuration of the Cross-Origin Resource Sharing (CORS) requests for >>> the element's fetched data. The supported values are the same as elsewhere: >>> "anonymous", "use-credentials", and "" (which means anonymous). >>> https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin >>> https://www.w3.org/TR/SVG/embedded.html#ImageElementCrossoriginAttribute >>> >> > This should probably rather point to > https://www.w3.org/TR/SVG/embedded.html#__svg__SVGImageElement__crossOrigin > since - for <image> this only affects/adds the IDL attribute while the > content attribute has been supported for a long time (archeology needed). > For <feImage> it would be both though. > Done on the chromestatus side. > > >> >>> >>> Blink componentBlink>SVG >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESVG> >>> >>> Search tagssvg <https://chromestatus.com/features#tags:svg>, crossorigin >>> <https://chromestatus.com/features#tags:crossorigin>, image >>> <https://chromestatus.com/features#tags:image> >>> >>> TAG reviewNone >>> >>> TAG review statusNot applicable >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> None >>> >> >> I believe content that already has a crossorigin attribute, but where the >> servers didn't send ACAO would now be blocked. >> > > Should only affect <feImage>, not <image>. > > >> Can we add a usecounter for that case, and monitor it as part of the >> rollout? >> >> >>> >>> *Gecko*: Shipped/Shipping ( >>> https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/crossorigin#browser_compatibility >>> ) >>> >> >> According to MDN, that's a fairly recent change. Do you know if it ran >> into any compat issues? >> >> >>> >>> *WebKit*: No signal ( >>> https://github.com/WebKit/standards-positions/issues/241) >>> >>> *Web developers*: Positive >>> >>> *Other signals*: >>> >>> Security >>> >>> The default value of the crossOrigin attribute is "anonymous", both >>> Safari and Chrome currently treat the missing attribute as "no cors". Due >>> to the default value change, content that was previously inaccessible >>> and/or tainted will become accessible without site/developer involvement if >>> the server was already supplying the correct Access-Control-Allow-Origin >>> header. >>> >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> None >>> >>> >>> Debuggability >>> >>> None >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)?Yes >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ?Yes >>> >> >> Link to wpt.fyi that shows Firefox passing the tests currently? >> >> >>> >>> >>> Flag name on chrome://flagsNone >>> >>> Finch feature nameSvgCrossOriginAttribute >>> >>> Non-finch justification >>> >>> Minor attribute addition. >>> >>> >>> Requires code in //chrome?False >>> >>> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=842321 >>> >>> Launch bughttps://bugs.chromium.org/p/chromium/issues/detail?id=842321 >>> >>> Estimated milestones >>> Shipping on desktop 118 >>> Shipping on Android 118 >>> >>> Anticipated spec changes >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> None >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5109030850134016 >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwdovYUciES4qqjJ3PckFOvc_6yzBVn_b4uKyuA9xwbv6Q%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwdovYUciES4qqjJ3PckFOvc_6yzBVn_b4uKyuA9xwbv6Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPUDrwcpPHp%3D22%2BtMU%2BG4xKi7yFeMJw0Ou8SSubig%2B6ORYo_jA%40mail.gmail.com.