Hello all, this has now landed and is slated to be released in M144 <https://chromium-review.googlesource.com/c/chromium/src/+/7173078>. During preparing the deprecation CL, it was found that in XSLT mode the parser allows loads not only of external entities, but also external DTDs (which go through the same network load function). In order not to interfere with the separate deprecation timeline of XSLT <https://groups.google.com/a/chromium.org/g/blink-dev/c/CxL4gYZeSJA/m/yNs4EsD5AQAJ>, we we only deprecate external entity loads for non XSLT situation (and do not block them at the network fetch level, but through a parser setting change).
Dominik On Thursday, November 13, 2025 at 2:29:15 PM UTC+2 Philip Jägenstedt wrote: > Is this feature controlled by something in runtime_enabled_features.json5? > If so, I think the enterprise policy is quite easy to add, and just doing > it could be easier than pondering the compat risk. > > However, we have to keep the policy for some number of milestones so it > would delay the deletion of the code. > > I don't have a strong view, happy with whatever you think is best, Dominik. > > Den tors 13 nov. 2025 01:48Dominik Röttsches <[email protected]> skrev: > >> > Such external load requests are passed up from the parser and allowed >> only if they are a same origin request and the response mimetype matches: >> application/xml-external-parsed-entity. >> >> One correction: >> The mimetype restriction does not apply: External entities are loaded >> even without mimetype checking when X-Content-Type-Options: nosniff is >> not set. >> >> Also, additional details were found regarding overlaps with XSLT >> processing: >> >> XMLDocumentParser OpenFunc is called in multiple situations. Detailed >> analysis >> here <https://issues.chromium.org/u/1/issues/455813733#comment4>. In >> XSLT processing context, external loads for DTD and external entities are >> currently allowed. >> With these findings, I only intend to deprecate and remove this for non >> XSLT situations. >> >> Even though the usage is very low overall, there is no need to risk XSLT >> breakage and cause interference between this deprecation and the XSLT >> deprecation. >> >> Dominik >> >> >> >> >> >> >> On Fri, Oct 31, 2025 at 5:03 PM Dominik Röttsches <[email protected]> >> wrote: >> >>> *Contact emails* >>> [email protected] >>> >>> *Explainer* >>> No information provided >>> >>> *Specification* >>> https://www.w3.org/TR/xml/#proc-types >>> >>> *Summary* >>> Chrome synchronously fetches external XML entities/DTDs and incorporates >>> them into parsing under specific circumstances. I propose to remove this >>> functionality. >>> >>> Test case xml-external-entity.xml >>> <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/http/tests/security/contentTypeOptions/xml-external-entity.xml> >>> >>> gives an example: >>> >>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" >>> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"; >>> [ >>> <!ENTITY entity_application_xml_external_parsed_entity SYSTEM " >>> http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity >>> "> >>> ... >>> >>> External entities can be defined in the trailing part of the DOCTYPE >>> statement - and then refer to resources that are to be synchronously loaded >>> and included as context when parsing XML. >>> >>> Another syntax example would be a DOCTYPE that, using the SYSTEM keyword >>> followed by a URL pointing to a DTD which contains additional entity >>> definitions. >>> >>> Such external load requests are passed up from the parser and allowed >>> only if they are a same origin request and the response mimetype matches: >>> application/xml-external-parsed-entity. >>> >>> According to https://www.w3.org/TR/xml/#proc-types non-validating >>> processor are not required to read external entities. >>> >>> *Blink component* >>> DOM >>> >>> *Web Feature ID* >>> Falls under XML feature group, but did not see a specific parsing >>> feature. >>> >>> *Motivation* >>> The usage has continuously decreased and is at an extremely low level of >>> 0.000015, compare: >>> https://chromestatus.com/metrics/feature/timeline/popularity/529 We >>> intend to improve the security of XML parsing in Chrome. (See internal >>> go/chrome_x_mitigation). >>> >>> In this effort, we intend to replace libxml2 as the XML parser with an >>> XML parser written in Rust (crate "xml"). The Rust-based XML parser we >>> intend to migrate to, does not support external entities and we don't think >>> it's necessary or desirable to implement this feature. >>> >>> Synchronous loads during parsing are considered inefficient, and can be >>> avoided by inlining the needed entity definitions. >>> >>> As usage is so low, Firefox never supported this >>> <https://bugzilla.mozilla.org/show_bug.cgi?id=22942#c135>, I propose to >>> deprecate in 144, and remove in 145. >>> >>> *Initial public proposal* >>> No information provided >>> >>> *Debuggability* >>> Parsing success/failure is debuggable, same as before. >>> >>> *Requires code in //chrome?* >>> No >>> >>> *Tracking bug* >>> https://crbug.com/455813733 >>> >>> *Estimated milestones* >>> Starting deprecation in 144 >>> >>> Shipping on desktop 144 >>> Shipping on Android 144 >>> Shipping on WebView 144 >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/6734457763659776?gate=4825690713227264 >>> >>> This intent message was generated by Chrome Platform Status. >>> >> -- >> > You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBtw13D8r8yp7-iSN%3DsOQO%2B0aDshjUbivj0nLucadQDu4w%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBtw13D8r8yp7-iSN%3DsOQO%2B0aDshjUbivj0nLucadQDu4w%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd69c855-bbe4-4f3f-b284-764c12f435dan%40chromium.org.
