[svgwg] Merged Pull Request: Remove support for data: URL in SVGUseElement from caribouW3 via GitHub on 2023-01-10 (public-svg-issues@w3.org from January 2023)

From: caribouW3 via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Jan 2023 08:04:27 +0000
To: public-svg-issues@w3.org
Message-ID: <pull_request.closed-1156636836-1673337865-sysbot+gh@w3.org>

caribouW3 has just merged shhnjk's pull request 901 for https://github.com/w3c/svgwg:

== Remove support for data: URL in SVGUseElement ==
### Motivation
Assigning an attacker controlled string to `SVGUseElement.href` causes XSS due to data: URLs. This also led to a [bypass of Trusted Types](https://github.com/w3c/trusted-types/issues/357) in Blink.

Additionally, data: URLs can only trigger script execution in script loaders such as HTMLScriptElement.src or [dynamic import](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/import). However, SVGUseElement is an exception to this, which also caused a [bypass](https://bugs.chromium.org/p/chromium/issues/detail?id=1306450#c10) in the Sanitizer API. We believe that this also led to several other bugs in sanitizers and linters missing a check for this special case.

Since Webkit does not support data: URLs in SVGUseElement, Blink is planning to remove support for it. And therefore, we'd like to update the spec.

We have also [requested Mozilla's position](https://github.com/mozilla/standards-positions/issues/718) on this.

Currently, the [usage](https://chromestatus.com/metrics/feature/timeline/popularity/4356) of data: URLs in SVGUseElement is about 0.0056% of page load in Chrome.

See https://github.com/w3c/svgwg/pull/901


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 10 January 2023 08:04:28 UTC