Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove support for data: URL in SVGUseElement #108

Closed
shhnjk opened this issue Dec 14, 2022 · 5 comments
Closed

Remove support for data: URL in SVGUseElement #108

shhnjk opened this issue Dec 14, 2022 · 5 comments
Labels
from: Google Proposed, edited, or co-edited by Google. position: support topic: security topic: svg venue: W3C SVG WG Proposal is being reviews in the W3C's SVG Working Group

Comments

@shhnjk
Copy link

shhnjk commented Dec 14, 2022

Request for position on an emerging web specification

Information about the spec

Design reviews and vendor positions

Motivation

Assigning an attacker controlled string to SVGUseElement.href causes XSS due to data: URLs. This also led to a bypass of Trusted Types in Blink.

Since Webkit does not support data: URLs in SVGUseElement and Mozilla's interest in unshipping, we think that it worth unshipping.

Therefore, we'd love to get official signal from Webkit.

Currently, the usage of data: URLs in SVGUseElement is about 0.0056% of page load in Chrome.

@annevk
Copy link
Contributor

annevk commented Dec 15, 2022

What makes <svg:use> special that it wouldn't be CORS-eligible, leading to nearly the same exploit? And if it's not CORS-eligible, why keep

A future version of this or another specification may provide a method of securely enabling cross-origin re-use
of assets.

in?

@annevk annevk added topic: security topic: svg from: Google Proposed, edited, or co-edited by Google. labels Dec 15, 2022
@shhnjk
Copy link
Author

shhnjk commented Dec 16, 2022

What makes <svg:use> special that it wouldn't be CORS-eligible, leading to nearly the same exploit?

IMO, the ability to import external script or html into current document has been only granted to places where script can be executed (i.e. script.src, import(), etc). AFAIK, SVGUseElement is the only place where we still allow this (through data: URLs), but there have been others which have been removed (e.g. HTML import).
I've also explained this in bit more details at w3c/trusted-types#357 (comment).

We believe that this also led to several other bugs in sanitizers and linters missing a check for this special case. (e.g. Sanitizer API)

And if it's not CORS-eligible, why keep

A future version of this or another specification may provide a method of securely enabling cross-origin re-use
of assets.

in?

I agree that we shouldn't allow cross-origin resources in SVGUseElement. I will follow up on this at w3c/svgwg#707.

@annevk
Copy link
Contributor

annevk commented Dec 16, 2022

Interesting, I thought foreignObject was similarly afflicted, but according to SVG 2 and some testing it's not. I think I agree then that it's better to keep this same-origin.

I suggest we mark this as "position: support" on January 6 given the holidays.

@shhnjk
Copy link
Author

shhnjk commented Dec 16, 2022

Sounds good! Thank you!

@hober
Copy link
Member

hober commented Mar 23, 2023

Closing as we've identified our position.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
from: Google Proposed, edited, or co-edited by Google. position: support topic: security topic: svg venue: W3C SVG WG Proposal is being reviews in the W3C's SVG Working Group
Development

No branches or pull requests

4 participants