On Thu, Jan 12, 2023 at 10:44 AM Mike Taylor <miketa...@chromium.org> wrote:
> On 1/11/23 6:49 PM, 'Jun Kokatsu' via blink-dev wrote: > > Contact emails > > jkoka...@google.com > > Specification > > https://svgwg.org/svg2-draft/struct.html#UseElementHrefAttribute > > https://github.com/w3c/svgwg/pull/901/files > > Summary > > Assigning a data: URL in SVGUseElement can cause XSS. And this also led to > a Trusted Types bypass. > > Therefore, we plan to deprecate and remove support for it. > > > Blink component > > Blink>SVG > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESVG> > > Motivation > > Assigning an attacker controlled string to SVGUseElement.href causes XSS > and a Trusted Types bypass > <https://github.com/w3c/trusted-types/issues/357> because of data: URLs. > If we fix this bug by requiring TrustedScriptURL assignment to > SVGUseElement.href under Trusted Types enforcement, many sites would need > to refactor code (even for same-origin URL or Blob URL assignment). > > Since Webkit does not support data: URLs in SVGUseElement and both Mozilla > and Webkit are supportive for the removal, we think that removing support > for data: URLs in SVGUseElement is the right way to solve this problem. > > Additionally, data: URLs can only trigger script execution in script > loaders such as HTMLScriptElement.src or dynamic import > <https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/import>. > However, SVGUseElement is an exception to this, which also caused a bypass > <https://bugs.chromium.org/p/chromium/issues/detail?id=1306450#c10> in > the Sanitizer API. We believe that this also led to several other bugs in > sanitizers and linters missing a check for this special case. > > The usage > <https://chromestatus.com/metrics/feature/timeline/popularity/4356> of > data: URLs in SVGUseElement is about 0.005%. > > Digging into the HTTP Archive shows usages in ~50 sites. There are 2 major > sites (slickdeals.net and hunter.104.com.tw) which use data: URLs in > SVGUseElement. > > The use in slickdeals.net is invisible (i.e. used in the footer but > doesn't appear), and hunter.104.com.tw is using it for a single icon in > the footer (which is already broken when rendered in Webkit). Rest of the > usages seems to be in individual small sites. > > I poked around the 10 sample sites at the bottom of the use counter: > > https://www.aspareanord.it/, https://www.umbria.camcom.it, > https://www.bisenzio.it/, https://www.comune.vernio.po.it/, > https://appaltinnovativi.gov.it/, https://www.gdf.gov.it/, > https://www.us.schott.com/, https://shop.wavin.com/, https://jobs.nzz.ch/, > https://www.learnapp.com/ > > For the 6 Italian sites (I guess the same agency made them?), the right > arrow icon next to "Vedi" would disappear. For a site like > https://jobs.nzz.ch - there's a number of visually significant design > icons that would be gone towards the bottom (and yes, it looks sort of > broken today in Safari). > > It's not the end of the world, looking at these 10 sites, but I wonder how > a developer would know how to fix this. Have you considered a DevTools > issue? > Thank you for the suggestion! Yes, I do plan to follow Deprecation steps <https://chromium.googlesource.com/chromium/src/+/HEAD/third_party/blink/renderer/core/frame/deprecation/README.md> and add a Devtools issue 🙂 > Initial public proposal > > TAG review > > TAG review status > > Not applicable. > > Because this intent removes part of a feature, and it is already shipped > in Webkit (i.e. never supported). > > Risks > > Interoperability and Compatibility > > Gecko: Positive > <https://github.com/mozilla/standards-positions/issues/718> > > WebKit: Positive > <https://github.com/WebKit/standards-positions/issues/108> > > Web developers: No signals > > > Debuggability > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > Yes <https://github.com/web-platform-tests/wpt/pull/37511> > > Flag name > > RemoveDataUrlInSvgUse > > > Requires code in //chrome? > > False > > Tracking bug > > https://bugs.chromium.org/p/chromium/issues/detail?id=1300195 > > Estimated milestones > > Deprecate for 2 milestones, then remove depending on breakages. > > Can you say more about what the deprecation looks like (i.e., blog post, > deprecation reports, devtools issue, etc)? > > > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/5128825141198848 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOWKMF6VXw7jmQoZM47i3ybzn%3D5Pc4mw26Khv9U9aP_UzBt-dg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOWKMF6VXw7jmQoZM47i3ybzn%3D5Pc4mw26Khv9U9aP_UzBt-dg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOWKMF5KQOG5R8baUM41T4fR01QbGFjvvEsf629h%2BzASCn_F0Q%40mail.gmail.com.
