> Such external load requests are passed up from the parser and allowed only if they are a same origin request and the response mimetype matches: application/xml-external-parsed-entity.
One correction: The mimetype restriction does not apply: External entities are loaded even without mimetype checking when X-Content-Type-Options: nosniff is not set. Also, additional details were found regarding overlaps with XSLT processing: XMLDocumentParser OpenFunc is called in multiple situations. Detailed analysis here <https://issues.chromium.org/u/1/issues/455813733#comment4>. In XSLT processing context, external loads for DTD and external entities are currently allowed. With these findings, I only intend to deprecate and remove this for non XSLT situations. Even though the usage is very low overall, there is no need to risk XSLT breakage and cause interference between this deprecation and the XSLT deprecation. Dominik On Fri, Oct 31, 2025 at 5:03 PM Dominik Röttsches <[email protected]> wrote: > *Contact emails* > [email protected] > > *Explainer* > No information provided > > *Specification* > https://www.w3.org/TR/xml/#proc-types > > *Summary* > Chrome synchronously fetches external XML entities/DTDs and incorporates > them into parsing under specific circumstances. I propose to remove this > functionality. > > Test case xml-external-entity.xml > <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/http/tests/security/contentTypeOptions/xml-external-entity.xml> > gives an example: > > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"; > [ > <!ENTITY entity_application_xml_external_parsed_entity SYSTEM " > http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity > "> > ... > > External entities can be defined in the trailing part of the DOCTYPE > statement - and then refer to resources that are to be synchronously loaded > and included as context when parsing XML. > > Another syntax example would be a DOCTYPE that, using the SYSTEM keyword > followed by a URL pointing to a DTD which contains additional entity > definitions. > > Such external load requests are passed up from the parser and allowed only > if they are a same origin request and the response mimetype matches: > application/xml-external-parsed-entity. > > According to https://www.w3.org/TR/xml/#proc-types non-validating > processor are not required to read external entities. > > *Blink component* > DOM > > *Web Feature ID* > Falls under XML feature group, but did not see a specific parsing feature. > > *Motivation* > The usage has continuously decreased and is at an extremely low level of > 0.000015, compare: > https://chromestatus.com/metrics/feature/timeline/popularity/529 We > intend to improve the security of XML parsing in Chrome. (See internal > go/chrome_x_mitigation). > > In this effort, we intend to replace libxml2 as the XML parser with an XML > parser written in Rust (crate "xml"). The Rust-based XML parser we intend > to migrate to, does not support external entities and we don't think it's > necessary or desirable to implement this feature. > > Synchronous loads during parsing are considered inefficient, and can be > avoided by inlining the needed entity definitions. > > As usage is so low, Firefox never supported this > <https://bugzilla.mozilla.org/show_bug.cgi?id=22942#c135>, I propose to > deprecate in 144, and remove in 145. > > *Initial public proposal* > No information provided > > *Debuggability* > Parsing success/failure is debuggable, same as before. > > *Requires code in //chrome?* > No > > *Tracking bug* > https://crbug.com/455813733 > > *Estimated milestones* > Starting deprecation in 144 > > Shipping on desktop 144 > Shipping on Android 144 > Shipping on WebView 144 > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/6734457763659776?gate=4825690713227264 > > This intent message was generated by Chrome Platform Status. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBtw13D8r8yp7-iSN%3DsOQO%2B0aDshjUbivj0nLucadQDu4w%40mail.gmail.com.
