On 1/11/23 6:49 PM, 'Jun Kokatsu' via blink-dev wrote:
Contact emails
jkoka...@google.com
Specification
https://svgwg.org/svg2-draft/struct.html#UseElementHrefAttribute
<https://svgwg.org/svg2-draft/struct.html#UseElementHrefAttribute>
https://github.com/w3c/svgwg/pull/901/files
Summary
Assigning a data: URL in SVGUseElement can cause XSS. And this also
led to a Trusted Types bypass.
Therefore, we plan to deprecate and remove support for it.
Blink component
Blink>SVG
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESVG>
Motivation
Assigning an attacker controlled string to SVGUseElement.href causes
XSS and a Trusted Types bypass
<https://github.com/w3c/trusted-types/issues/357>because of data:
URLs. If we fix this bug by requiring TrustedScriptURL assignment to
SVGUseElement.href under Trusted Types enforcement, many sites would
need to refactor code (even for same-origin URL or Blob URL assignment).
Since Webkit does not support data: URLs in SVGUseElement and both
Mozilla and Webkit are supportive for the removal, we think that
removing support for data: URLs in SVGUseElement is the right way to
solve this problem.
Additionally, data: URLs can only trigger script execution in script
loaders such as HTMLScriptElement.src or dynamic import
<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/import>.
However, SVGUseElement is an exception to this, which also caused a
bypass
<https://bugs.chromium.org/p/chromium/issues/detail?id=1306450#c10>in
the Sanitizer API. We believe that this also led to several other bugs
in sanitizers and linters missing a check for this special case.
The usage
<https://chromestatus.com/metrics/feature/timeline/popularity/4356>of
data: URLs in SVGUseElement is about 0.005%.
Digging into the HTTP Archive shows usages in ~50 sites. There are 2
major sites (slickdeals.net <http://slickdeals.net>and
hunter.104.com.tw <http://hunter.104.com.tw>) which use data: URLs in
SVGUseElement.
The use in slickdeals.net <http://slickdeals.net>is invisible (i.e.
used in the footer but doesn't appear), and hunter.104.com.tw
<http://hunter.104.com.tw>is using it for a single icon in the footer
(which is already broken when rendered in Webkit). Rest of the usages
seems to be in individual small sites.
I poked around the 10 sample sites at the bottom of the use counter:
https://www.aspareanord.it/, https://www.umbria.camcom.it,
https://www.bisenzio.it/, https://www.comune.vernio.po.it/,
https://appaltinnovativi.gov.it/, https://www.gdf.gov.it/,
https://www.us.schott.com/, https://shop.wavin.com/,
https://jobs.nzz.ch/, https://www.learnapp.com/
For the 6 Italian sites (I guess the same agency made them?), the right
arrow icon next to "Vedi" would disappear. For a site like
https://jobs.nzz.ch - there's a number of visually significant design
icons that would be gone towards the bottom (and yes, it looks sort of
broken today in Safari).
It's not the end of the world, looking at these 10 sites, but I wonder
how a developer would know how to fix this. Have you considered a
DevTools issue?
Initial public proposal
TAG review
TAG review status
Not applicable.
Because this intent removes part of a feature, and it is already
shipped in Webkit (i.e. never supported).
Risks
Interoperability and Compatibility
Gecko: Positive
<https://github.com/mozilla/standards-positions/issues/718>
WebKit: Positive
<https://github.com/WebKit/standards-positions/issues/108>
Web developers: No signals
Debuggability
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes <https://github.com/web-platform-tests/wpt/pull/37511>
Flag name
RemoveDataUrlInSvgUse
Requires code in //chrome?
False
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1300195
<https://bugs.chromium.org/p/chromium/issues/detail?id=1300195>
Estimated milestones
Deprecate for 2 milestones, then remove depending on breakages.
Can you say more about what the deprecation looks like (i.e., blog post,
deprecation reports, devtools issue, etc)?
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5128825141198848
<https://chromestatus.com/feature/5128825141198848>
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOWKMF6VXw7jmQoZM47i3ybzn%3D5Pc4mw26Khv9U9aP_UzBt-dg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOWKMF6VXw7jmQoZM47i3ybzn%3D5Pc4mw26Khv9U9aP_UzBt-dg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/946d395e-9725-7eb6-7606-0feca62c9632%40chromium.org.
