LGTM2 On Thu, Nov 6, 2025 at 1:57 AM Dominik Röttsches <[email protected]> wrote:
> Thanks for the feedback so far. > > On Wed, Nov 5, 2025 at 3:57 PM Chris Harrelson <[email protected]> > wrote: > >> Hi, could you file a position request with webkit? >> > > Sure, filed as https://github.com/WebKit/standards-positions/issues/572 > > On Wed, Nov 5, 2025 at 6:47 PM Daniel Bratell <[email protected]> wrote: > >> I just realized that there was no Finch flag section in the template. >> There should be one right? >> > Finch flag is XMLNoExternalEntities - updated in Chromestatus entry. > > > On Fri, Oct 31, 2025 at 11:04 AM Dominik Röttsches <[email protected]> >> wrote: >> >>> *Contact emails* >>> [email protected] >>> >>> *Explainer* >>> No information provided >>> >>> *Specification* >>> https://www.w3.org/TR/xml/#proc-types >>> >>> *Summary* >>> Chrome synchronously fetches external XML entities/DTDs and incorporates >>> them into parsing under specific circumstances. I propose to remove this >>> functionality. >>> >>> Test case xml-external-entity.xml >>> <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/http/tests/security/contentTypeOptions/xml-external-entity.xml> >>> gives an example: >>> >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" >>> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"; >>> [ >>> <!ENTITY entity_application_xml_external_parsed_entity SYSTEM " >>> http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity >>> "> >>> ... >>> >>> External entities can be defined in the trailing part of the DOCTYPE >>> statement - and then refer to resources that are to be synchronously loaded >>> and included as context when parsing XML. >>> >>> Another syntax example would be a DOCTYPE that, using the SYSTEM keyword >>> followed by a URL pointing to a DTD which contains additional entity >>> definitions. >>> >>> Such external load requests are passed up from the parser and allowed >>> only if they are a same origin request and the response mimetype matches: >>> application/xml-external-parsed-entity. >>> >>> According to https://www.w3.org/TR/xml/#proc-types non-validating >>> processor are not required to read external entities. >>> >>> *Blink component* >>> DOM >>> >>> *Web Feature ID* >>> Falls under XML feature group, but did not see a specific parsing >>> feature. >>> >>> *Motivation* >>> The usage has continuously decreased and is at an extremely low level of >>> 0.000015, compare: >>> https://chromestatus.com/metrics/feature/timeline/popularity/529 We >>> intend to improve the security of XML parsing in Chrome. (See internal >>> go/chrome_x_mitigation). >>> >>> In this effort, we intend to replace libxml2 as the XML parser with an >>> XML parser written in Rust (crate "xml"). The Rust-based XML parser we >>> intend to migrate to, does not support external entities and we don't think >>> it's necessary or desirable to implement this feature. >>> >>> Synchronous loads during parsing are considered inefficient, and can be >>> avoided by inlining the needed entity definitions. >>> >>> As usage is so low, Firefox never supported this >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=22942#c135>, I propose to >>> deprecate in 144, and remove in 145. >>> >>> *Initial public proposal* >>> No information provided >>> >>> *Debuggability* >>> Parsing success/failure is debuggable, same as before. >>> >>> *Requires code in //chrome?* >>> No >>> >>> *Tracking bug* >>> https://crbug.com/455813733 >>> >>> *Estimated milestones* >>> Starting deprecation in 144 >>> >>> Shipping on desktop 144 >>> Shipping on Android 144 >>> Shipping on WebView 144 >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/6734457763659776?gate=4825690713227264 >>> >>> This intent message was generated by Chrome Platform Status. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBt5G1ZbUby1i3PBt0qUK0%3DkPj8%2BhHeVbQcZ3xgnnvKKBQ%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBt5G1ZbUby1i3PBt0qUK0%3DkPj8%2BhHeVbQcZ3xgnnvKKBQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBs8UE%3DTVF9XAxyONnNhiSp7tiei_448YgUjk58r4Ly4aw%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBs8UE%3DTVF9XAxyONnNhiSp7tiei_448YgUjk58r4Ly4aw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9Hr%3DCam8-j5Uv-A%3D8wHwkC9Ws-Hsy5ty6r2VFNy4Xrnw%40mail.gmail.com.
