Hi, could you file a position request with webkit? On Fri, Oct 31, 2025 at 11:04 AM Dominik Röttsches <[email protected]> wrote:
> *Contact emails* > [email protected] > > *Explainer* > No information provided > > *Specification* > https://www.w3.org/TR/xml/#proc-types > > *Summary* > Chrome synchronously fetches external XML entities/DTDs and incorporates > them into parsing under specific circumstances. I propose to remove this > functionality. > > Test case xml-external-entity.xml > <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/http/tests/security/contentTypeOptions/xml-external-entity.xml> > gives an example: > > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"; > [ > <!ENTITY entity_application_xml_external_parsed_entity SYSTEM " > http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity > "> > ... > > External entities can be defined in the trailing part of the DOCTYPE > statement - and then refer to resources that are to be synchronously loaded > and included as context when parsing XML. > > Another syntax example would be a DOCTYPE that, using the SYSTEM keyword > followed by a URL pointing to a DTD which contains additional entity > definitions. > > Such external load requests are passed up from the parser and allowed only > if they are a same origin request and the response mimetype matches: > application/xml-external-parsed-entity. > > According to https://www.w3.org/TR/xml/#proc-types non-validating > processor are not required to read external entities. > > *Blink component* > DOM > > *Web Feature ID* > Falls under XML feature group, but did not see a specific parsing feature. > > *Motivation* > The usage has continuously decreased and is at an extremely low level of > 0.000015, compare: > https://chromestatus.com/metrics/feature/timeline/popularity/529 We > intend to improve the security of XML parsing in Chrome. (See internal > go/chrome_x_mitigation). > > In this effort, we intend to replace libxml2 as the XML parser with an XML > parser written in Rust (crate "xml"). The Rust-based XML parser we intend > to migrate to, does not support external entities and we don't think it's > necessary or desirable to implement this feature. > > Synchronous loads during parsing are considered inefficient, and can be > avoided by inlining the needed entity definitions. > > As usage is so low, Firefox never supported this > <https://bugzilla.mozilla.org/show_bug.cgi?id=22942#c135>, I propose to > deprecate in 144, and remove in 145. > > *Initial public proposal* > No information provided > > *Debuggability* > Parsing success/failure is debuggable, same as before. > > *Requires code in //chrome?* > No > > *Tracking bug* > https://crbug.com/455813733 > > *Estimated milestones* > Starting deprecation in 144 > > Shipping on desktop 144 > Shipping on Android 144 > Shipping on WebView 144 > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/6734457763659776?gate=4825690713227264 > > This intent message was generated by Chrome Platform Status. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBt5G1ZbUby1i3PBt0qUK0%3DkPj8%2BhHeVbQcZ3xgnnvKKBQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBt5G1ZbUby1i3PBt0qUK0%3DkPj8%2BhHeVbQcZ3xgnnvKKBQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9L-ZQfiDZzZGt5Mh_oX1f%3Dp7r0GhXLO_54o9H01o2Ksw%40mail.gmail.com.
