Closed Bug 1806964 Opened 1 year ago Closed 5 months ago

Restrict SVG `<use>` to prevent usage of `data:` URLs

Categories

(Core :: SVG, task)

Product:
Core
Component:
SVG
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
122 Branch
Tracking Flags:
Tracking Status
firefox122 --- fixed

People

(Reporter: freddy, Assigned: tschuster)

References

(Blocks 1 open bug)

Details

(Keywords: compat, dev-doc-complete, sec-want, Whiteboard: [adv-main122-])

Attachments

(1 file)

Bug 1806964 - Restrict SVG <use> to prevent usage of data: URLs. r?longsonr!
48 bytes, text/x-phabricator-request
Details | Review

The original discussion was about removing data: support, based on these bits:

  • There is some XSS risk with poor filters
  • Webkit does not support data: URLs in <use> and Blink intends to remove support
  • Chrome usage data suggests this is used in about 0.0056% of page load in Chrome.

The spec also says that this is only intended to work for same-origin URLs and opens a door to potential future use of cross-origin resources.
However, the discussion above seems to close that discussion for good and fully restrict to same-origin only.

I therefore suggest, we align with other browsers and make it fully "same-origin only". This should also ensure we do not follow cross-origin redirects and such. We're working with the authors to build fully solid tests in wpt, which will help us achieve this in an interoperable fashion.

References:

I noticed that Bug 1754522 has a patch which looks highly relevant to resolving this one here.

See Also: → CVE-2022-28284

Google is doing to ship this November 2023. https://developer.chrome.com/blog/migrate-way-from-data-urls-in-svg-use/

Thanks, good to know.

I guess that leaves us on-our-own, since https://github.com/mozilla/standards-positions/issues/718#issuecomment-1403709611 notes that Safari already rejects (never allowed?) data URIs in <use>, apparently.

I did a quick grep for these in our codebase to look at impact on our tests, frontend code, etc. I only found a few, pretty trivial to fix up/remove:

Keywords: sec-want

The Sanitizer API might end up depending on this being implemented.

Blocks: sanitizer-api

Should probably be behind a pref so that enterprise sites can enable it if they wish to do so.

Agreed.

We may also want to enable that pref for the benefit of the reftest that I referenced in comment 3 (which will keep that test passing, and which will help validate that we don't inadvertently break that configuration without noticing).

And we should also toggle the pref for the crashtests that I linked at the end of comment 3, too.

What we also need is a testcase along these lines...

  1. a <use> element that points to a red <rect> (or some other valid content)

  2. we call setAttribute to set that use element's href to a data URI

two thing need to happen

  1. we don't render the data URI

  2. we don't keep rendering the rect either.

I hope calling Unlink() would be enough to fix that but we should check that it does.

Thank you both. I think I incorporated your suggestions in my updated patch.

Keywords: dev-doc-needed
Assignee: nobody → tschuster
Attachment #9363232 - Attachment description: WIP: Bug 1806964 - Restrict SVG <use> to prevent usage of data: URLs → WIP: Bug 1806964 - Restrict SVG <use> to prevent usage of data: URLs. r?longsonr!,dholbert!
Attachment #9363232 - Attachment description: WIP: Bug 1806964 - Restrict SVG <use> to prevent usage of data: URLs. r?longsonr!,dholbert! → Bug 1806964 - Restrict SVG <use> to prevent usage of data: URLs. r?longsonr!,dholbert!
Attachment #9363232 - Attachment description: Bug 1806964 - Restrict SVG <use> to prevent usage of data: URLs. r?longsonr!,dholbert! → Bug 1806964 - Restrict SVG <use> to prevent usage of data: URLs. r?longsonr!
Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3f0a7131d0fd
Restrict SVG <use> to prevent usage of data: URLs. r=longsonr
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/43341 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/3f0a7131d0fd

Status: NEW → RESOLVED
Closed: 6 months ago
status-firefox122: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch
Upstream PR merged by moz-wptsync-bot
Regressions: 1866911

Backed out for causing bug 1866911 (and duplicates)

Flags: needinfo?(tschuster)
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/43409 for changes under testing/web-platform/tests
Status: RESOLVED → REOPENED
status-firefox122: fixed → ---
Resolution: FIXED → ---
Target Milestone: 122 Branch → ---
See Also: → 1867225
Flags: needinfo?(tschuster)
Depends on: 1867225
Upstream PR merged by moz-wptsync-bot

Fortunately I think you can reland this pretty much as originally written. The actual fix to the regression was elsewhere in SVGUseElement

Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/efcdf995dbc7
Restrict SVG <use> to prevent usage of data: URLs. r=longsonr
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/43473 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/efcdf995dbc7

Status: REOPENED → RESOLVED
Closed: 6 months ago5 months ago
status-firefox122: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch
Upstream PR merged by moz-wptsync-bot

Documentation updates for this can be tracked in the following GitHub issue: https://github.com/mdn/content/issues/31111

Regressions: 1872408
No longer regressions: 1872408
See Also: 1867225
Whiteboard: [adv-main122-]
Type: enhancement → task
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: