Contact emails jkoka...@google.com
Specification https://svgwg.org/svg2-draft/struct.html#UseElementHrefAttribute https://github.com/w3c/svgwg/pull/901/files Summary Assigning a data: URL in SVGUseElement can cause XSS. And this also led to a Trusted Types bypass. Therefore, we plan to deprecate and remove support for it. Blink component Blink>SVG <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESVG> Motivation Assigning an attacker controlled string to SVGUseElement.href causes XSS and a Trusted Types bypass <https://github.com/w3c/trusted-types/issues/357> because of data: URLs. If we fix this bug by requiring TrustedScriptURL assignment to SVGUseElement.href under Trusted Types enforcement, many sites would need to refactor code (even for same-origin URL or Blob URL assignment). Since Webkit does not support data: URLs in SVGUseElement and both Mozilla and Webkit are supportive for the removal, we think that removing support for data: URLs in SVGUseElement is the right way to solve this problem. Additionally, data: URLs can only trigger script execution in script loaders such as HTMLScriptElement.src or dynamic import <https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/import>. However, SVGUseElement is an exception to this, which also caused a bypass <https://bugs.chromium.org/p/chromium/issues/detail?id=1306450#c10> in the Sanitizer API. We believe that this also led to several other bugs in sanitizers and linters missing a check for this special case. The usage <https://chromestatus.com/metrics/feature/timeline/popularity/4356> of data: URLs in SVGUseElement is about 0.005%. Digging into the HTTP Archive shows usages in ~50 sites. There are 2 major sites (slickdeals.net and hunter.104.com.tw) which use data: URLs in SVGUseElement. The use in slickdeals.net is invisible (i.e. used in the footer but doesn't appear), and hunter.104.com.tw is using it for a single icon in the footer (which is already broken when rendered in Webkit). Rest of the usages seems to be in individual small sites. Initial public proposal TAG review TAG review status Not applicable. Because this intent removes part of a feature, and it is already shipped in Webkit (i.e. never supported). Risks Interoperability and Compatibility Gecko: Positive <https://github.com/mozilla/standards-positions/issues/718> WebKit: Positive <https://github.com/WebKit/standards-positions/issues/108> Web developers: No signals Debuggability Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes <https://github.com/web-platform-tests/wpt/pull/37511> Flag name RemoveDataUrlInSvgUse Requires code in //chrome? False Tracking bug https://bugs.chromium.org/p/chromium/issues/detail?id=1300195 Estimated milestones Deprecate for 2 milestones, then remove depending on breakages. Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5128825141198848 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOWKMF6VXw7jmQoZM47i3ybzn%3D5Pc4mw26Khv9U9aP_UzBt-dg%40mail.gmail.com.
