This is now continuing to removal in M145, I landed a removal change before the branch point for M145 <https://chromium-review.googlesource.com/c/chromium/src/+/7415378>.
On Fri, Nov 21, 2025 at 2:14 PM Mike Taylor <[email protected]> wrote: > This makes a lot of sense, thanks. > On 11/21/25 4:54 a.m., 'Dominik Röttsches' via blink-dev wrote: > > Hello all, > > this has now landed and is slated to be released in M144 > <https://chromium-review.googlesource.com/c/chromium/src/+/7173078>. > During preparing the deprecation CL, it was found that in XSLT mode the > parser allows loads not only of external entities, but also external DTDs > (which go through the same network load function). In order not to > interfere with the separate deprecation timeline of XSLT > <https://groups.google.com/a/chromium.org/g/blink-dev/c/CxL4gYZeSJA/m/yNs4EsD5AQAJ>, > we we only deprecate external entity loads for non XSLT situation (and do > not block them at the network fetch level, but through a parser setting > change). > > Dominik > > > > On Thursday, November 13, 2025 at 2:29:15 PM UTC+2 Philip Jägenstedt wrote: > >> Is this feature controlled by something in >> runtime_enabled_features.json5? If so, I think the enterprise policy is >> quite easy to add, and just doing it could be easier than pondering the >> compat risk. >> >> However, we have to keep the policy for some number of milestones so it >> would delay the deletion of the code. >> >> I don't have a strong view, happy with whatever you think is best, >> Dominik. >> >> Den tors 13 nov. 2025 01:48Dominik Röttsches <[email protected]> skrev: >> >>> > Such external load requests are passed up from the parser and allowed >>> only if they are a same origin request and the response mimetype matches: >>> application/xml-external-parsed-entity. >>> >>> One correction: >>> The mimetype restriction does not apply: External entities are loaded >>> even without mimetype checking when X-Content-Type-Options: nosniff is >>> not set. >>> >>> Also, additional details were found regarding overlaps with XSLT >>> processing: >>> >>> XMLDocumentParser OpenFunc is called in multiple situations. Detailed >>> analysis >>> here <https://issues.chromium.org/u/1/issues/455813733#comment4>. In >>> XSLT processing context, external loads for DTD and external entities are >>> currently allowed. >>> With these findings, I only intend to deprecate and remove this for non >>> XSLT situations. >>> >>> Even though the usage is very low overall, there is no need to risk XSLT >>> breakage and cause interference between this deprecation and the XSLT >>> deprecation. >>> >>> Dominik >>> >>> >>> >>> >>> >>> >>> On Fri, Oct 31, 2025 at 5:03 PM Dominik Röttsches <[email protected]> >>> wrote: >>> >>>> *Contact emails* >>>> [email protected] >>>> >>>> *Explainer* >>>> No information provided >>>> >>>> *Specification* >>>> https://www.w3.org/TR/xml/#proc-types >>>> >>>> *Summary* >>>> Chrome synchronously fetches external XML entities/DTDs and >>>> incorporates them into parsing under specific circumstances. I propose to >>>> remove this functionality. >>>> >>>> Test case xml-external-entity.xml >>>> <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/http/tests/security/contentTypeOptions/xml-external-entity.xml> >>>> gives an example: >>>> >>>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" >>>> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"; >>>> [ >>>> <!ENTITY entity_application_xml_external_parsed_entity SYSTEM " >>>> http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity >>>> "> >>>> ... >>>> >>>> External entities can be defined in the trailing part of the DOCTYPE >>>> statement - and then refer to resources that are to be synchronously loaded >>>> and included as context when parsing XML. >>>> >>>> Another syntax example would be a DOCTYPE that, using the SYSTEM >>>> keyword followed by a URL pointing to a DTD which contains additional >>>> entity definitions. >>>> >>>> Such external load requests are passed up from the parser and allowed >>>> only if they are a same origin request and the response mimetype matches: >>>> application/xml-external-parsed-entity. >>>> >>>> According to https://www.w3.org/TR/xml/#proc-types non-validating >>>> processor are not required to read external entities. >>>> >>>> *Blink component* >>>> DOM >>>> >>>> *Web Feature ID* >>>> Falls under XML feature group, but did not see a specific parsing >>>> feature. >>>> >>>> *Motivation* >>>> The usage has continuously decreased and is at an extremely low level >>>> of 0.000015, compare: >>>> https://chromestatus.com/metrics/feature/timeline/popularity/529 We >>>> intend to improve the security of XML parsing in Chrome. (See internal >>>> go/chrome_x_mitigation). >>>> >>>> In this effort, we intend to replace libxml2 as the XML parser with an >>>> XML parser written in Rust (crate "xml"). The Rust-based XML parser we >>>> intend to migrate to, does not support external entities and we don't think >>>> it's necessary or desirable to implement this feature. >>>> >>>> Synchronous loads during parsing are considered inefficient, and can be >>>> avoided by inlining the needed entity definitions. >>>> >>>> As usage is so low, Firefox never supported this >>>> <https://bugzilla.mozilla.org/show_bug.cgi?id=22942#c135>, I propose >>>> to deprecate in 144, and remove in 145. >>>> >>>> *Initial public proposal* >>>> No information provided >>>> >>>> *Debuggability* >>>> Parsing success/failure is debuggable, same as before. >>>> >>>> *Requires code in //chrome?* >>>> No >>>> >>>> *Tracking bug* >>>> https://crbug.com/455813733 >>>> >>>> *Estimated milestones* >>>> Starting deprecation in 144 >>>> >>>> Shipping on desktop 144 >>>> Shipping on Android 144 >>>> Shipping on WebView 144 >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/6734457763659776?gate=4825690713227264 >>>> >>>> This intent message was generated by Chrome Platform Status. >>>> >>> -- >>> >> You received this message because you are subscribed to the Google Groups >>> "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBtw13D8r8yp7-iSN%3DsOQO%2B0aDshjUbivj0nLucadQDu4w%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBtw13D8r8yp7-iSN%3DsOQO%2B0aDshjUbivj0nLucadQDu4w%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd69c855-bbe4-4f3f-b284-764c12f435dan%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd69c855-bbe4-4f3f-b284-764c12f435dan%40chromium.org?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBtAF_mKhkOZiZKc7J%2BFQ56DZbkF%3Dw79FnQEa2-hJgymcg%40mail.gmail.com.
