I am a little unclear about whether "it might not actually affect production code" (that Daniel wrote) is the case. When those URLs are ignored, it sounds like there could be a parsing error and things might stop working, right?
☆*PhistucK* On Wed, Nov 5, 2025 at 4:47 PM Daniel Bratell <[email protected]> wrote: > I just realized that there was no Finch flag section in the template. > There should be one right? > > (Also note what Chris said, the feature needs to be moved to the right > stage in chromestatus and various reviews kicked off) > > /Daniel > On 2025-11-05 17:40, Daniel Bratell wrote: > > That is a very low use counter indeed, and from its linear behaviour, it > looks like it might go away by itself within a year. > > Considering the low counter, that it has not been supported by Mozilla, > and that it might not actually affect production code, I think it's ok to > try to remove it before the XML parser replacement forces it. The normal > caveats with "keep an eye out for feedback" apply. > > LGTM1 to deprecate and remove one milestone later. > > /Daniel > On 2025-10-31 16:03, Dominik Röttsches wrote: > > *Contact emails* > [email protected] > > *Explainer* > No information provided > > *Specification* > https://www.w3.org/TR/xml/#proc-types > > *Summary* > Chrome synchronously fetches external XML entities/DTDs and incorporates > them into parsing under specific circumstances. I propose to remove this > functionality. > > Test case xml-external-entity.xml > <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/http/tests/security/contentTypeOptions/xml-external-entity.xml> > gives an example: > > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"; > [ > <!ENTITY entity_application_xml_external_parsed_entity SYSTEM " > http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity > "> > ... > > External entities can be defined in the trailing part of the DOCTYPE > statement - and then refer to resources that are to be synchronously loaded > and included as context when parsing XML. > > Another syntax example would be a DOCTYPE that, using the SYSTEM keyword > followed by a URL pointing to a DTD which contains additional entity > definitions. > > Such external load requests are passed up from the parser and allowed only > if they are a same origin request and the response mimetype matches: > application/xml-external-parsed-entity. > > According to https://www.w3.org/TR/xml/#proc-types non-validating > processor are not required to read external entities. > > *Blink component* > DOM > > *Web Feature ID* > Falls under XML feature group, but did not see a specific parsing feature. > > *Motivation* > The usage has continuously decreased and is at an extremely low level of > 0.000015, compare: > https://chromestatus.com/metrics/feature/timeline/popularity/529 We > intend to improve the security of XML parsing in Chrome. (See internal > go/chrome_x_mitigation). > > In this effort, we intend to replace libxml2 as the XML parser with an XML > parser written in Rust (crate "xml"). The Rust-based XML parser we intend > to migrate to, does not support external entities and we don't think it's > necessary or desirable to implement this feature. > > Synchronous loads during parsing are considered inefficient, and can be > avoided by inlining the needed entity definitions. > > As usage is so low, Firefox never supported this > <https://bugzilla.mozilla.org/show_bug.cgi?id=22942#c135>, I propose to > deprecate in 144, and remove in 145. > > *Initial public proposal* > No information provided > > *Debuggability* > Parsing success/failure is debuggable, same as before. > > *Requires code in //chrome?* > No > > *Tracking bug* > https://crbug.com/455813733 > > *Estimated milestones* > Starting deprecation in 144 > > Shipping on desktop 144 > Shipping on Android 144 > Shipping on WebView 144 > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/6734457763659776?gate=4825690713227264 > > This intent message was generated by Chrome Platform Status. > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBt5G1ZbUby1i3PBt0qUK0%3DkPj8%2BhHeVbQcZ3xgnnvKKBQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBt5G1ZbUby1i3PBt0qUK0%3DkPj8%2BhHeVbQcZ3xgnnvKKBQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/86df97b8-566d-4d26-b2a8-a398a6faceaf%40gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/86df97b8-566d-4d26-b2a8-a398a6faceaf%40gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f5d61294-6d97-421d-ad70-e53772cba11c%40gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f5d61294-6d97-421d-ad70-e53772cba11c%40gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABc02_J-UZ92VA2KtnRE3p4C209vGJnHrW9NhnVFb5i823u7Rw%40mail.gmail.com.
