Google intends to remove from the Chrome code base support for the free Theora video codec, created by the Xiph.org Foundation based on the VP3 codec and supported in Firefox and Chrome since 2009. However, the Theora codec was never supported in Chrome for Android and in WebKit-based browsers such as Safari. A similar proposal to remove Theora is being considered by Firefox developers.
The reason cited for deprecating Theora support is that there may be vulnerabilities similar to the recent critical issues with the VP8 encoder.
According to the developers, due to the increasing frequency of 0-day attacks on medical codecs, security risks exceed the level of demand for the Theora codec, which is almost never used in practice, but remains a significant target for potential attacks. According to Mozilla statistics, the share of Theora-based content among downloads of all multimedia resources in Firefox is 0.09%. According to Google, Theora's share is below the level measured in Chrome through UKM metrics.
To preserve the ability to reproduce existing content on sites in Theora format, it is proposed to use a JavaScript codec implementation - ogv.js. There are no plans to remove support for ogg containers. Users are encouraged to upgrade to a more modern open codec such as VP9.
They intend to begin experiments with disabling Theora in the Chrome 120 branch. In October, Theora plans to disable 50% of users of the dev branch, on November 1-6 - for 50% of users of the beta branch, on January 8 - for 50% of users of the stable branch, and on January 16 - all users of the stable branch. During the experiment, the βchrome://flags/#theora-video-codecβ setting is provided to return the codec. In February, the code with the Theora implementation and the setting to return codec support are planned to be removed. The first release without the possibility of returning Theora support will be Chrome 123, scheduled for March 2024. Firefox suggests disabling Theora support in nightly builds first, then collecting telemetry about failures to load media files, and then moving on to disabling it in beta versions.
Source: opennet.ru