Re: [blink-dev] Re: Intent to Deprecate and Remove: Externally loaded entities in XML parsing

Fri, 21 Nov 2025 04:14:30 -0800 

This makes a lot of sense, thanks.

On 11/21/25 4:54 a.m., 'Dominik Röttsches' via blink-dev wrote:

Hello all,
this has now landed and is slated to be released in M144 <https://chromium-review.googlesource.com/c/chromium/src/+/7173078>. During preparing the deprecation CL, it was found that in XSLT mode the parser allows loads not only of external entities, but also external DTDs (which go through the same network load function). In order not to interfere with the separate deprecation timeline of XSLT <https://groups.google.com/a/chromium.org/g/blink-dev/c/CxL4gYZeSJA/m/yNs4EsD5AQAJ>, we we only deprecate external entity loads for non XSLT situation (and do not block them at the network fetch level, but through a parser setting change). 

Dominik
On Thursday, November 13, 2025 at 2:29:15 PM UTC+2 Philip Jägenstedt wrote: 

    Is this feature controlled by something in
    runtime_enabled_features.json5? If so, I think the enterprise
    policy is quite easy to add, and just doing it could be easier
    than pondering the compat risk.

    However, we have to keep the policy for some number of milestones
    so it would delay the deletion of the code.

    I don't have a strong view, happy with whatever you think is best,
    Dominik.

    Den tors 13 nov. 2025 01:48Dominik Röttsches <[email protected]>
    skrev:

        > Such external load requests are passed up from the parser
        and allowed only if they are a same origin request and the
        response mimetype matches:
        application/xml-external-parsed-entity.

        One correction:
        The mimetype restriction does not apply: External entities are
        loaded even without mimetype checking when
        X-Content-Type-Options: nosniff is not set.

        Also, additional details were found regarding overlaps with
        XSLT processing:

        XMLDocumentParser OpenFunc is called in multiple situations.
        Detailed analysis here
        <https://issues.chromium.org/u/1/issues/455813733#comment4>.
        In XSLT processing context, external loads for DTD and
        external entities are currently allowed.
        With these findings, I only intend to deprecate and remove
        this for non XSLT situations.

        Even though the usage is very low overall, there is no need to
        risk XSLT breakage and cause interference between this
        deprecation and the XSLT deprecation.

        Dominik






        On Fri, Oct 31, 2025 at 5:03 PM Dominik Röttsches
        <[email protected]> wrote:

            *Contact emails*
            [email protected]

            *Explainer*
            No information provided

            *Specification*
            https://www.w3.org/TR/xml/#proc-types

            *Summary*
            Chrome synchronously fetches external XML entities/DTDs
            and incorporates them into parsing under specific
            circumstances. I propose to remove this functionality.

            Test case xml-external-entity.xml
            
<https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/http/tests/security/contentTypeOptions/xml-external-entity.xml>
            gives an example:

            <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
                    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";
            [
            <!ENTITY entity_application_xml_external_parsed_entity
            SYSTEM
            
"http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity";>
            ...

            External entities can be defined in the trailing part of
            the DOCTYPE statement - and then refer to resources that
            are to be synchronously loaded and included as context
            when parsing XML.

            Another syntax example would be a DOCTYPE that, using the
            SYSTEM keyword followed by a URL pointing to a DTD which
            contains additional entity definitions.

            Such external load requests are passed up from the parser
            and allowed only if they are a same origin request and the
            response mimetype matches:
            application/xml-external-parsed-entity.

            According to https://www.w3.org/TR/xml/#proc-types
            non-validating processor are not required to read external
            entities.

            *Blink component*
            DOM

            *Web Feature ID*
            Falls under XML feature group, but did not see a specific
            parsing feature.

            *Motivation*
            The usage has continuously decreased and is at an
            extremely low level of 0.000015, compare:
            https://chromestatus.com/metrics/feature/timeline/popularity/529
            We intend to improve the security of XML parsing in
            Chrome. (See internal go/chrome_x_mitigation
            <http://go/chrome_x_mitigation>).

            In this effort, we intend to replace libxml2 as the XML
            parser with an XML parser written in Rust (crate "xml").
            The Rust-based XML parser we intend to migrate to, does
            not support external entities and we don't think it's
            necessary or desirable to implement this feature.

            Synchronous loads during parsing are considered
            inefficient, and can be avoided by inlining the needed
            entity definitions.

            As usage is so low, Firefox never supported this
            <https://bugzilla.mozilla.org/show_bug.cgi?id=22942#c135>,
            I propose to deprecate in 144, and remove in 145.

            *Initial public proposal*
            No information provided

            *Debuggability*
            Parsing success/failure is debuggable, same as before.

            *Requires code in //chrome?*
            No

            *Tracking bug*
            https://crbug.com/455813733

            *Estimated milestones*
            Starting deprecation in 144

            Shipping on desktop 144
            Shipping on Android 144
            Shipping on WebView 144

            Link to entry on the Chrome Platform Status
            
https://chromestatus.com/feature/6734457763659776?gate=4825690713227264

            This intent message was generated by Chrome Platform Status.
-- 
        You received this message because you are subscribed to the
        Google Groups "blink-dev" group.
        To unsubscribe from this group and stop receiving emails from
        it, send an email to [email protected].

        To view this discussion visit
        
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBtw13D8r8yp7-iSN%3DsOQO%2B0aDshjUbivj0nLucadQDu4w%40mail.gmail.com
        
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBtw13D8r8yp7-iSN%3DsOQO%2B0aDshjUbivj0nLucadQDu4w%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd69c855-bbe4-4f3f-b284-764c12f435dan%40chromium.org <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd69c855-bbe4-4f3f-b284-764c12f435dan%40chromium.org?utm_medium=email&utm_source=footer>. 

--
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/507d77c0-55c8-49ed-9afb-8a0834fc43b5%40chromium.org.

Reply via email to