Re: [w3ctag/design-reviews] [SVG 2.0] Allow `use` to reference an external document's root element by omitting the fragment (Issue #1081) from Jeffrey Yasskin on 2025-05-13 (public-webapps-github@w3.org from May 2025)

From: Jeffrey Yasskin <notifications@github.com>
Date: Tue, 13 May 2025 10:41:00 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1081/2877434893@github.com>

jyasskin left a comment (w3ctag/design-reviews#1081)

Thanks for sending this in for review. The TAG looked at it and we agree that this change will be a useful convenience for developers.

We do have concerns with `<use>` in general.

Firstly, as @annevk pointed out in the [WebKit request for position](https://github.com/WebKit/standards-positions/issues/480#issuecomment-2804113116), `<use>`'s integration with [fetch](https://fetch.spec.whatwg.org/) is underspecified. See [this tracking issue](https://github.com/w3c/svgwg/issues/905).

Secondly, `<use>` has some history of security concerns, particularly XSS threats as discussed in https://github.com/w3c/trusted-types/issues/357, https://github.com/w3c/svgwg/pull/901, and https://github.com/w3c/svgwg/issues/707. There is also the possibility of a kind of denial-of-service attack in which nested `<use>` references can be expanded into a very large number of items, causing a hang (see [example](https://responsible-prickly-jumpsuit.glitch.me/)). This differs from more trivial ways of hanging a tab (`while(1) { }` in JS) in that it could be used in environments where script has been disabled or removed by sanitization. In some browsers, this scenario also seems less prone to triggering hang detection than JS-based hangs.

Since the change proposed here is fairly straightforward and has developer benefit without making these problems worse, we're supportive of it. But before investing in further enhancements to `<use>`, we encourage you to see if you can make progress on the fetch integration, and to take care that you are not adding capabilities that would exacerbate security problems with the feature.

(Credit to @dandclark for writing this comment.)

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1081#issuecomment-2877434893
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1081/2877434893@github.com>

Received on Tuesday, 13 May 2025 17:41:06 UTC