-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove support for data: URL in SVGUseElement #108
Comments
What makes
in? |
IMO, the ability to import external We believe that this also led to several other bugs in sanitizers and linters missing a check for this special case. (e.g. Sanitizer API)
I agree that we shouldn't allow cross-origin resources in SVGUseElement. I will follow up on this at w3c/svgwg#707. |
Interesting, I thought I suggest we mark this as "position: support" on January 6 given the holidays. |
Sounds good! Thank you! |
Closing as we've identified our position. |
Request for position on an emerging web specification
Information about the spec
Design reviews and vendor positions
Motivation
Assigning an attacker controlled string to
SVGUseElement.href
causes XSS due to data: URLs. This also led to a bypass of Trusted Types in Blink.Since Webkit does not support data: URLs in SVGUseElement and Mozilla's interest in unshipping, we think that it worth unshipping.
Therefore, we'd love to get official signal from Webkit.
Currently, the usage of data: URLs in SVGUseElement is about 0.0056% of page load in Chrome.
The text was updated successfully, but these errors were encountered: