Title of the proposal
Disable SVG filters on plugins and cross-origin/restricted iframes
URL to the spec
w3c/csswg-drafts#13846
Feature Launch URL
https://chromestatus.com/feature/5117170452398080
Issue Tracker URL
https://crbug.com/476646486
Mozilla standards-positions issue URL
mozilla/standards-positions#1395
Description
This proposal prevents SVG filters from being applied to cross-origin/restricted iframes (e.g., sandboxed ones) and embedded plugins (e.g., pdfs). When a frame/plugin would be painted with an SVG filter effect, the effect tree is traversed to find the highest ancestor without SVG filters, and that effect is then applied instead.
SVG clickjacking (https://lyra.horse/blog/2025/12/svg-clickjacking/) is a new spin on clickjacking which uses dynamic SVG filters to disguise content and manipulate users into taking actions they might not otherwise. Additionally, we would like to further restrict timing attacks (https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf) involving SVG filters.
Title of the proposal
Disable SVG filters on plugins and cross-origin/restricted iframes
URL to the spec
w3c/csswg-drafts#13846
Feature Launch URL
https://chromestatus.com/feature/5117170452398080
Issue Tracker URL
https://crbug.com/476646486
Mozilla standards-positions issue URL
mozilla/standards-positions#1395
Description
This proposal prevents SVG filters from being applied to cross-origin/restricted iframes (e.g., sandboxed ones) and embedded plugins (e.g., pdfs). When a frame/plugin would be painted with an SVG filter effect, the effect tree is traversed to find the highest ancestor without SVG filters, and that effect is then applied instead.
SVG clickjacking (https://lyra.horse/blog/2025/12/svg-clickjacking/) is a new spin on clickjacking which uses dynamic SVG filters to disguise content and manipulate users into taking actions they might not otherwise. Additionally, we would like to further restrict timing attacks (https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf) involving SVG filters.