As of Firefox 122 I intend to remove support for data: URLs in the href attribute of SVG <use> elements. It was never supported in Safari and Chrome is planning to remove support in Chrome 120. data URLs can be used for XSS attacks, by embedding another SVG that executes scripts.
Bug to remove: https://bugzilla.mozilla.org/show_bug.cgi?id=1806964 Standards position: https://github.com/mozilla/standards-positions/issues/718 Preference: svg.use-element.data-url-href.allowed Chrome's intent to deprecate: https://groups.google.com/a/chromium.org/g/blink-dev/c/Q9dLyBhtZTw/m/ceirsUk7AgAJ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CA%2BCWiYhihM-GkoujSBdBZjn2Gw%3DyTuODNdODsJY4xv9t-Z4N5Q%40mail.gmail.com.
