Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

relnote(122): SVG use elements cannot use data URIs #21662

Merged
merged 1 commit into from
Jan 11, 2024
Merged

relnote(122): SVG use elements cannot use data URIs #21662

merged 1 commit into from
Jan 11, 2024

Conversation

bsmth
Copy link
Member

@bsmth bsmth commented Dec 18, 2023

For security reasons, the following is no longer allowed:

<svg>
  <use href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0i...#x" />
</svg>

In Firefox, this is now behind a pref only, and disabled by default.

Test results and supporting details

Safari:

I can't find any evidence that Safari ever supported this.
Web search only shows bug reports of people struggling to get it to work.
I tested in Browserstack with Safari right back to the beginning of time, with no luck.

<!DOCTYPE html>
<html>
  <title>Test use data uri</title>
  <meta charset="utf-8" />
  <body>
    <svg>
      <use
        href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGlkPSJ4Ij4gPGNpcmNsZSBjeD0iNSIgY3k9IjUiIHI9IjQiIHN0cm9rZT0iYmx1ZSI+PC9jaXJjbGU+IDwvc3ZnPg==#x"
      />
    </svg>
  </body>
</html>

Related issues and pull requests

@github-actions github-actions bot added the data:svg 🖌️ Compat data for SVG features. https://developer.mozilla.org/docs/Web/SVG label Dec 18, 2023
@bsmth bsmth mentioned this pull request Dec 18, 2023
Closed
13 tasks
@bsmth
Copy link
Member Author

bsmth commented Dec 18, 2023
edited
Loading

@queengooborg - if this is disabled in 122 but behind a pref for legacy purposes, how should I add this?

If I add the pref on a removed feature, I of course get

✖ svg.elements.use.data_uri - Error → Irrelevant flag data detected for firefox. Remove statement with svg.use-element.data-url-href.allowed flag

@Elchi3
Copy link
Member

Elchi3 commented Dec 21, 2023

hm, do you really want to document svg.use-element.data-url-href.allowed? I mean the docs should probably encourage not to do this anymore!

If you really do want to mention it, I would do so with a note:

"firefox": {
  "version_added": "4",
  "version_removed": "122"
  "note": "Can be enabled using the <code>svg.use-element.data-url-href.allowed</code> preference but this is not advised for security reasons."
},

@bsmth
Copy link
Member Author

bsmth commented Jan 8, 2024

hm, do you really want to document svg.use-element.data-url-href.allowed? I mean the docs should probably encourage not to do this anymore!

That's true. The relnote mentions it here: https://github.com/mdn/content/pull/31124/files so I'm fine with leaving it out in this PR.

@bsmth bsmth requested a review from Elchi3 January 8, 2024 13:40
@queengooborg queengooborg merged commit 88ed1b5 into mdn:main Jan 11, 2024
5 checks passed
@bsmth bsmth deleted the 31111-svg-use-data-uri branch January 11, 2024 17:16
@bsmth
Copy link
Member Author

bsmth commented Jan 11, 2024

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@queengooborg queengooborg queengooborg approved these changes

@Elchi3 Elchi3 Awaiting requested review from Elchi3

Assignees
No one assigned
Labels
data:svg 🖌️ Compat data for SVG features. https://developer.mozilla.org/docs/Web/SVG
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bsmth @Elchi3 @queengooborg