Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-04-26 Thread Mike West
LGTM3. -mike On Fri, Apr 21, 2023 at 7:42 PM 'Jun Kokatsu' via blink-dev < blink-dev@chromium.org> wrote: > Hi Brandon! > > I'll make sure to do that! I'll ping you next week when I start to work > on it! > > Thanks, > > Jun > > > On Fri, Apr 21, 2023 at 7:55 AM Brandon Heenan wrote: > >> One

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-04-21 Thread 'Jun Kokatsu' via blink-dev
Hi Brandon! I'll make sure to do that! I'll ping you next week when I start to work on it! Thanks, Jun On Fri, Apr 21, 2023 at 7:55 AM Brandon Heenan wrote: > One addition please: work with me and the enterprise team to also add a > paragraph to the enterprise release notes before the

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-04-21 Thread 'Brandon Heenan' via blink-dev
One addition please: work with me and the enterprise team to also add a paragraph to the enterprise release notes before the deprecation warning is switched to on-by-default On Fri, Apr 21, 2023 at 3:13 AM Yoav Weiss wrote: > LGTM2 for the above plan. Good luck!! > > On Thu, Apr 20, 2023 at

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-04-21 Thread Yoav Weiss
LGTM2 for the above plan. Good luck!! On Thu, Apr 20, 2023 at 11:37 PM Rick Byers wrote: > Jun and I have been talking about this offline and I think we've got a > reasonable plan to attempt to proceed with this breaking change: > >- Add Enterprise policy knob >

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-04-20 Thread Rick Byers
Jun and I have been talking about this offline and I think we've got a reasonable plan to attempt to proceed with this breaking change: - Add Enterprise policy knob - Disable in WebView by default (or add targetSdk quirk) - in

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-24 Thread Rick Byers
On Mon, Jan 23, 2023 at 3:00 PM Jun Kokatsu wrote: > Hi All, > > I wanted to provide some updates on outreach I've done last week. > > I manually went through a list of sample sites in the use counter > , and > contacted ~10

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-23 Thread 'Jun Kokatsu' via blink-dev
Hi All, I wanted to provide some updates on outreach I've done last week. I manually went through a list of sample sites in the use counter , and contacted ~10 sites which will be impacted. Among those sites, 3 sites responded so

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-19 Thread 'Jun Kokatsu' via blink-dev
On Thu, Jan 19, 2023 at 2:14 PM Rick Byers wrote: > On Thu, Jan 19, 2023 at 1:17 PM Jun Kokatsu wrote: > >> On Thu, Jan 19, 2023 at 9:29 AM Rick Byers wrote: >> >>> Thanks Daniel. I also looked at this page >>>

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-19 Thread Rick Byers
On Thu, Jan 19, 2023 at 1:17 PM Jun Kokatsu wrote: > On Thu, Jan 19, 2023 at 9:29 AM Rick Byers wrote: > >> Thanks Daniel. I also looked at this page >> >> which >> inlines the same 422 kB long

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-19 Thread 'Jun Kokatsu' via blink-dev
On Thu, Jan 19, 2023 at 9:29 AM Rick Byers wrote: > Thanks Daniel. I also looked at this page > > which > inlines the same 422 kB long sprite sheet 5 separate times, only to select > a tiny 422 BYTE

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-19 Thread Rick Byers
Thanks Daniel. I also looked at this page which inlines the same 422 kB long sprite sheet 5 separate times, only to select a tiny 422 BYTE SVG out of it each time! In that case, simply inlining the

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-19 Thread Daniel Bratell
Without saying whether it is appropriate to block data urls, I would like to say that doing what the site is doing with icons in data urls is far from the best way to do it. Since there are better ways to accomplish the same output, it's not in itself a use pattern that must be preserved. It

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-18 Thread Alex Russell
Per today's API OWNERs meeting, a dumb question: is the XSS risk here largely down to script execution triggered by this pattern? Or non-script content in the inline'd SVG? Thanks On Tuesday, January 17, 2023 at 10:52:29 PM UTC-8 Jun Kokatsu wrote: > On Tue, Jan 17, 2023 at 11:36 AM Brandon

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-17 Thread 'Jun Kokatsu' via blink-dev
On Tue, Jan 17, 2023 at 11:36 AM Brandon Heenan wrote: > Thanks for adding me. Yes, this definitely seems like the pattern where > we'd want a temporary enterprise policy to re-enable support for ~3 > milestones after we remove support by default. > go/chrome-enterprise-friendly >

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-17 Thread 'Brandon Heenan' via blink-dev
Thanks for adding me. Yes, this definitely seems like the pattern where we'd want a temporary enterprise policy to re-enable support for ~3 milestones after we remove support by default. go/chrome-enterprise-friendly gets into the details of the why,

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-17 Thread Rick Byers
On Tue, Jan 17, 2023 at 4:48 AM Yoav Weiss wrote: > Would it be possible to turn > > the usecounter into a UKM to get a better

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-17 Thread Yoav Weiss
Would it be possible to turn the usecounter into a UKM to get a better view of the number of impacted origins, beyond just the

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-13 Thread 'Jun Kokatsu' via blink-dev
Thank you Rick for the detailed explanation! On Fri, Jan 13, 2023 at 10:30 AM Rick Byers wrote: > Eliminating this makes sense to me given the security benefit. Thank you > for pushing it! But it does seem somewhat risky from a web compat > perspective. 0.005% is above our "small but

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-13 Thread Rick Byers
Eliminating this makes sense to me given the security benefit. Thank you for pushing it! But it does seem somewhat risky from a web compat perspective. 0.005% is above our "small but non-trivial risk

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-12 Thread 'Jun Kokatsu' via blink-dev
On Thu, Jan 12, 2023 at 10:44 AM Mike Taylor wrote: > On 1/11/23 6:49 PM, 'Jun Kokatsu' via blink-dev wrote: > > Contact emails > > jkoka...@google.com > > Specification > > https://svgwg.org/svg2-draft/struct.html#UseElementHrefAttribute > > https://github.com/w3c/svgwg/pull/901/files > >

Re: [blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-12 Thread Mike Taylor
On 1/11/23 6:49 PM, 'Jun Kokatsu' via blink-dev wrote: Contact emails jkoka...@google.com Specification https://svgwg.org/svg2-draft/struct.html#UseElementHrefAttribute

[blink-dev] Intent to Deprecate and Remove: data: URL in SVGUseElement

2023-01-11 Thread 'Jun Kokatsu' via blink-dev
Contact emails jkoka...@google.com Specification https://svgwg.org/svg2-draft/struct.html#UseElementHrefAttribute https://github.com/w3c/svgwg/pull/901/files Summary Assigning a data: URL in SVGUseElement can cause XSS. And this also led to a Trusted Types bypass. Therefore, we plan to