Specification title
Disable SVG filters on plugins and cross-origin/restricted iframes
Specification or proposal URL (if available)
w3c/csswg-drafts#13846
Proposal author(s)
@arichiv
Feature Launch URL
https://chromestatus.com/feature/5117170452398080
Bugzilla URL
https://crbug.com/476646486
WebKit standards-position
WebKit/standards-positions#654
Other information
This proposal prevents SVG filters from being applied to cross-origin/restricted iframes (e.g., sandboxed ones) and embedded plugins (e.g., pdfs). When a frame/plugin would be painted with an SVG filter effect, the effect tree is traversed to find the highest ancestor without SVG filters, and that effect is then applied instead.
SVG clickjacking (https://lyra.horse/blog/2025/12/svg-clickjacking/) is a new spin on clickjacking which uses dynamic SVG filters to disguise content and manipulate users into taking actions they might not otherwise. Additionally, we would like to further restrict timing attacks (https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf) involving SVG filters.
Specification title
Disable SVG filters on plugins and cross-origin/restricted iframes
Specification or proposal URL (if available)
w3c/csswg-drafts#13846
Proposal author(s)
@arichiv
Feature Launch URL
https://chromestatus.com/feature/5117170452398080
Bugzilla URL
https://crbug.com/476646486
WebKit standards-position
WebKit/standards-positions#654
Other information
This proposal prevents SVG filters from being applied to cross-origin/restricted iframes (e.g., sandboxed ones) and embedded plugins (e.g., pdfs). When a frame/plugin would be painted with an SVG filter effect, the effect tree is traversed to find the highest ancestor without SVG filters, and that effect is then applied instead.
SVG clickjacking (https://lyra.horse/blog/2025/12/svg-clickjacking/) is a new spin on clickjacking which uses dynamic SVG filters to disguise content and manipulate users into taking actions they might not otherwise. Additionally, we would like to further restrict timing attacks (https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf) involving SVG filters.