- From: Jun via GitHub <sysbot+gh@w3.org>
- Date: Fri, 09 Dec 2022 20:19:51 +0000
- To: public-svg-issues@w3.org
shhnjk has just submitted a new pull request for https://github.com/w3c/svgwg: == Remove support for data: URL in SVGUseElement == ### Motivation Assigning an attacker controlled string to `SVGUseElement.href` causes XSS due to data: URLs. This also led to a [bypass of Trusted Types](https://github.com/w3c/trusted-types/issues/357) in Blink. Additionally, data: URLs can only trigger script execution in script loaders such as HTMLScriptElement.src or [dynamic import](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/import). However, SVGUseElement is an exception to this, which also caused a [bypass](https://bugs.chromium.org/p/chromium/issues/detail?id=1306450#c10) in the Sanitizer API. We believe that this also led to several other bugs in sanitizers and linters missing a check for this special case. Since data: URL is the only way to execute script with SVGUseElement.href in Blink and Webkit does not support data: URLs in SVGUseElement, we think that it worth removing support for it. We have also [requested Mozilla's position](https://github.com/mozilla/standards-positions/issues/718) on this. Currently, the [usage](https://chromestatus.com/metrics/feature/timeline/popularity/4356) of data: URLs in SVGUseElement is about 0.0056% of page load in Chrome. See https://github.com/w3c/svgwg/pull/901 -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 9 December 2022 20:19:53 UTC