From f8e5bf77287b6d8712b054e6651472b7babeeb38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philip=20J=C3=A4genstedt?= <philip@foolip.org>
Date: Tue, 9 Jun 2026 17:22:16 +0200
Subject: [PATCH 1/3] Define privacy-preserving rendering

---
 source | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
diff --git a/source b/source
index 640465da59f..79ff011c402 100644
--- a/source
+++ b/source
@@ -151602,6 +151602,9 @@ legend[align=right i] {
   <code>video</code> element, as defined by the relevant rendering rules; for WebVTT, those are the
   <span>rules for updating the display of WebVTT text tracks</span>. <ref>WEBVTT</ref></p>
 
+  <p>In <span>privacy-preserving rendering</span>, subtitles and captions are <span>expected</span>
+  to be rendered with default appearance that ignores any user preferences.</p>
+
   <p>When the user agent starts <span data-x="expose a user interface to the user">exposing a user
   interface</span> for a <code>video</code> element, the user agent should run the <span>rules for
   updating the text track rendering</span> of each of the <span data-x="text track">text
@@ -153312,6 +153315,10 @@ select {
   elements in their user interface, as discussed <a
   href="#providing-users-with-a-means-to-follow-hyperlinks-created-using-the-link-element">previously</a>.</p>
 
+  <p>In <span>privacy-preserving rendering</span>, user agents are <span>expected</span> to act as
+  if the <code data-x="selector-visited">:visited</code> <span>pseudo-class</span> does not
+  match.</p>
+
 
 
 
@@ -153550,6 +153557,35 @@ if (s = prompt('What is your name?')) {
 
 
 
+  <h3>Privacy-preserving rendering</h3>
+
+  <p>In <dfn export>privacy-preserving rendering</dfn>, any security- or privacy-sensitive
+  information that isn't otherwise observable to author code are omitted or replaced with safe
+  defaults. The detailed requirements are in the relevant sections above.</p>
+
+  <p>In <span>privacy-preserving rendering</span>, the user agent is expected to:</p>
+
+  <h4>Summary</h4>
+
+  <!-- NON-NORMATIVE SECTION -->
+
+  <p>The following table summarizes how <span>privacy-preserving rendering</span> affects various
+  elements and features when they are rendered:</p>
+
+  <table>
+   <thead>
+    <tr>
+     <th>Category
+     <th>Expected behavior
+   <tbody>
+    <tr>
+     <td><code>a</code> and <code>area</code> elements
+     <td>The <code data-x="selector-visited">:visited</code> <span>pseudo-class</span> never matches.
+    <tr>
+     <td><span data-x="media element">Media elements</span>
+     <td>Subtitles and captionss use default appearance, ignoring any user preferences.
+  </table>
+
 
   <h2 split-filename="obsolete" id="obsolete">Obsolete features</h2>
 

From 9b2ed380f15401fd3a1b268e7595c3b28c872430 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philip=20J=C3=A4genstedt?= <foolip@chromium.org>
Date: Tue, 16 Jun 2026 13:41:01 +0000
Subject: [PATCH 2/3] Rename privacy-preserving rendering to read-back-allowed
 rendering

And s/in/during/
---
 source | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/source b/source
index 79ff011c402..4b1bd04eafb 100644
--- a/source
+++ b/source
@@ -151602,8 +151602,9 @@ legend[align=right i] {
   <code>video</code> element, as defined by the relevant rendering rules; for WebVTT, those are the
   <span>rules for updating the display of WebVTT text tracks</span>. <ref>WEBVTT</ref></p>
 
-  <p>In <span>privacy-preserving rendering</span>, subtitles and captions are <span>expected</span>
-  to be rendered with default appearance that ignores any user preferences.</p>
+  <p>During <span>read-back-allowed rendering</span>, subtitles and captions are
+  <span>expected</span> to be rendered with default appearance that ignores any user
+  preferences.</p>
 
   <p>When the user agent starts <span data-x="expose a user interface to the user">exposing a user
   interface</span> for a <code>video</code> element, the user agent should run the <span>rules for
@@ -153315,8 +153316,8 @@ select {
   elements in their user interface, as discussed <a
   href="#providing-users-with-a-means-to-follow-hyperlinks-created-using-the-link-element">previously</a>.</p>
 
-  <p>In <span>privacy-preserving rendering</span>, user agents are <span>expected</span> to act as
-  if the <code data-x="selector-visited">:visited</code> <span>pseudo-class</span> does not
+  <p>During <span>read-back-allowed rendering</span>, user agents are <span>expected</span> to act
+  as if the <code data-x="selector-visited">:visited</code> <span>pseudo-class</span> does not
   match.</p>
 
 
@@ -153557,19 +153558,17 @@ if (s = prompt('What is your name?')) {
 
 
 
-  <h3>Privacy-preserving rendering</h3>
+  <h3>Read-back-allowed rendering</h3>
 
-  <p>In <dfn export>privacy-preserving rendering</dfn>, any security- or privacy-sensitive
+  <p>During <dfn export>read-back-allowed rendering</dfn>, any security- or privacy-sensitive
   information that isn't otherwise observable to author code are omitted or replaced with safe
   defaults. The detailed requirements are in the relevant sections above.</p>
 
-  <p>In <span>privacy-preserving rendering</span>, the user agent is expected to:</p>
-
   <h4>Summary</h4>
 
   <!-- NON-NORMATIVE SECTION -->
 
-  <p>The following table summarizes how <span>privacy-preserving rendering</span> affects various
+  <p>The following table summarizes how <span>read-back-allowed rendering</span> affects various
   elements and features when they are rendered:</p>
 
   <table>

From f22bc53e7ad1aff5a82bfc6c8184bd9709e9322e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philip=20J=C3=A4genstedt?= <foolip@chromium.org>
Date: Tue, 16 Jun 2026 14:17:33 +0000
Subject: [PATCH 3/3] Move list over from HTML-in-Canvas PR

---
 source | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/source b/source
index 4b1bd04eafb..33f70eadb11 100644
--- a/source
+++ b/source
@@ -4210,6 +4210,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
 
     <ul class="brief">
      <li><dfn data-x-href="https://drafts.csswg.org/css-values/#lengths">&lt;length></dfn></li>
+     <li><dfn data-x-href="https://drafts.csswg.org/css-values/#urls">&lt;url></dfn></li>
      <li>The <dfn data-x-href="https://drafts.csswg.org/css-values/#em">'em'</dfn> unit</li>
      <li>The <dfn data-x-href="https://drafts.csswg.org/css-values/#ex">'ex'</dfn> unit</li>
      <li>The <dfn data-x-href="https://drafts.csswg.org/css-values/#vw">'vw'</dfn> unit</li>
@@ -153564,6 +153565,50 @@ if (s = prompt('What is your name?')) {
   information that isn't otherwise observable to author code are omitted or replaced with safe
   defaults. The detailed requirements are in the relevant sections above.</p>
 
+
+  <p>The following must not be exposed during <span>read-back-allowed rendering</span>:</p>
+
+  <dl>
+   <dt>All content
+   <dd><span>CORS-cross-origin</span> content, including in <span>embedded content</span> (e.g.,
+   <code>iframe</code>, <code>img</code>), <code>canvas</code> elements whose bitmap's <span
+   data-x="concept-canvas-origin-clean">origin-clean</span> flag is set to false, CSS
+   <span>&lt;url></span> references (e.g., <span>'background-image'</span>,
+   <span>'border-image-source'</span>), and SVG elements (e.g., <code data-x="">use</code>, <code
+   data-x="">pattern</code>, <code data-x="">feImage</code>).
+   <dd>Non-default colors, themes, and preferences.
+   <dd>Non-default selection and find-in-page highlights.
+   <dd>Spelling and grammar markers.
+   <dd>Subpixel text rendering and antialiasing.
+
+   <dt><span data-x="form-associated element">Form-associated elements</span>
+   <dd>Platform-specific appearance.
+   <dd>Pending autofill suggestions.
+
+   <dt><span data-x="media element">Media elements</span>
+   <dd>User preferences for caption and subtitle selection and appearance.
+
+   <dt><code>a</code> and <code>area</code> elements
+   <dd>Visited link information.
+  </dl>
+
+  <p class="XXX">The above cases should all be merged into the appropriate part of the rendering
+  section.</p>
+
+  <p>The following explicitly may be exposed during <span>read-back-allowed rendering</span>:</p>
+
+  <dl>
+   <dt>All content
+   <dd>Matching text from find-in-page.
+
+   <dt><span data-x="form-associated element">Form-associated elements</span>
+   <dd>Default appearance that is the same on all platforms.
+
+   <dt><code>iframe</code> and <code>frame</code> elements
+   <dd><span>CORS-same-origin</span> frames are not sensitive information, but
+   <span>CORS-cross-origin</span> content within them is.</dd>
+  </dl>
+
   <h4>Summary</h4>
 
   <!-- NON-NORMATIVE SECTION -->

Category +	Expected behavior +
`a` and `area` elements +	The `:visited` pseudo-class never matches. +
Media elements +	Subtitles and captionss use default appearance, ignoring any user preferences. +