Deprecate and remove externally loaded entities in XML parsing

[drott]

WebKittens

@annevk

Title of the proposal

Deprecate loading of external entities in XML parsing

URL to the spec

https://www.w3.org/TR/xml/#proc-types

URL to the spec's repository

No response

Issue Tracker URL

No response

Explainer URL

No response

TAG Design Review URL

No response

Mozilla standards-positions issue URL

Older bug report comment applies: https://bugzilla.mozilla.org/show_bug.cgi?id=22942#c135

WebKit Bugzilla URL

No response

Radar URL

No response

Description

In Blink, in our efforts to improve XML parsing security, we plan to deprecate and remove external loading of entities in XML parsing. We would like to hear WebKit's position.

• Firefox never supported this feature (compare https://bugzilla.mozilla.org/show_bug.cgi?id=22942#c135)
• The XML specification makes this optional for non-validating processors (such as browsers): https://www.w3.org/TR/xml/#proc-types.
• Usage is extremely low: https://chromestatus.com/metrics/feature/timeline/popularity/529 at 0.000015% of page loads.

In Blink, we supported this only when the server provided a specific mimetype: application/xml-external-parsed-entity.

We propose to remove this as the new parser we want to migrate to does not support this feature and it does not seem worthwhile to implement: executing a synchronous load during parsing is an inefficient design which blocks parsing, plus the usage is so low.

A workaround is to include the entities into the main document.

Further info:
Chromestatus Entry
Blink-dev I2D post