w3c · arichiv · Apr 28, 2026 · Apr 28, 2026
diff --git a/filter-effects-1/Overview.bs b/filter-effects-1/Overview.bs
@@ -3546,6 +3546,11 @@ If any of the above rules are not followed, an attacker could infer information
 
 A timing attack is a method of obtaining information about content that is otherwise protected, based on studying the amount of time it takes for an operation to occur. If, for example, red pixels took longer to draw than green pixels, one might be able to reconstruct a rough image of the element being rendered, without ever having access to the content of the element. Security studies show that timing differences on arithmetic operations can be caused by the hardware architecture or compiler [[ArTD]].
 
+<h3 id="clickjacking-attack">Clickjacking Attacks</h3>
+
+User agents must not apply SVG reference <a element>filter</a>s to cross-origin/restricted iframes or web plugins.
+If this is permitted, it allows the manipulation of otherwise inaccessable frames, potentially causing users to take actions they might not otherwise.
+
 <h2 id=security>Security Considerations</h2>
 
 Besides the security implications of the privacy issues noted above,
@@ -3628,4 +3633,4 @@ effect-reference-merge-no-inputs.tentative.html
 filter-region-negative-positioned-child-001.html
 effect-reference-displacement-negative-scale-001.html
 backdrop-filters-grayscale-001.html
-</wpt>
+</wpt>