Bug 1806964 - Restrict SVG <use> to prevent usage of data: URLs. r=longsonr

Differential Revision: https://phabricator.services.mozilla.com/D193414

dom/base/crashtests/crashtests.list

@@ -110,7 +110,7 @@ load 637214-1.svg
 load 637214-2.svg
 pref(extensions.InstallTrigger.enabled,true) pref(extensions.InstallTriggerImpl.enabled,true) load 642022-1.html
 load 646184.html
-load 658845-1.svg
+pref(svg.use-element.data-url-href.allowed,true) load 658845-1.svg
 load 666869.html
 load 667336-1.html
 load 675516.xhtml

dom/svg/SVGUseElement.cpp

@@ -543,16 +543,30 @@ void SVGUseElement::LookupHref() {
     return;
   }
 
-  nsCOMPtr<nsIURI> originURI =
-      mOriginal ? mOriginal->GetBaseURI() : GetBaseURI();
-  nsCOMPtr<nsIURI> baseURI =
-      nsContentUtils::IsLocalRefURL(href)
-          ? SVGObserverUtils::GetBaseURLForLocalRef(this, originURI)
-          : originURI;
+  if (nsContentUtils::IsLocalRefURL(href)) {
+    // Use the original <use>, if it exists, because the #ref might be local
+    // the original's document.
+    RefPtr<SVGUseElement> elem = mOriginal ? mOriginal.get() : this;
+    RefPtr<nsAtom> idAtom = NS_AtomizeMainThread(Substring(href, 1));
+    mReferencedElementTracker.ResetWithID(*elem, idAtom);
+    return;
+  }
 
+  nsCOMPtr<nsIURI> baseURI = mOriginal ? mOriginal->GetBaseURI() : GetBaseURI();
   nsCOMPtr<nsIURI> targetURI;
   nsContentUtils::NewURIWithDocumentCharset(getter_AddRefs(targetURI), href,
                                             GetComposedDoc(), baseURI);
+  if (!targetURI) {
+    return;
+  }
+
+  // Don't allow <use href="data:...">. Using "#ref" inside a data: document is
+  // handled above.
+  if (targetURI->SchemeIs("data") &&
+      !StaticPrefs::svg_use_element_data_url_href_allowed()) {
+    return;
+  }
+
   nsIReferrerInfo* referrer =
       OwnerDoc()->ReferrerInfoForInternalCSSAndSVGResources();
   mReferencedElementTracker.ResetToURIFragmentID(this, targetURI, referrer);

layout/reftests/svg/reftest.list

@@ -564,7 +564,7 @@ pref(layout.css.devPixelsPerPx,"1.0") == svg-blurry-with-subpixel-position.html
 == use-02.svg pass.svg
 == use-01-extref.svg pass.svg
 == use-02-extref.svg use-02-extref-ref.svg
-== use-extref-dataURI-01.svg pass.svg
+pref(svg.use-element.data-url-href.allowed,true) == use-extref-dataURI-01.svg pass.svg
 == use-children.svg pass.svg
 
 test-pref(svg.use-element.graphics-element-restrictions,0) == use-restrictions.svg use-restrictions-not-restricted-ref.svg

layout/svg/crashtests/crashtests.list

@@ -128,7 +128,7 @@ load 709920-2.svg
 load 713413-1.svg
 load 722003-1.svg
 load 725918-1.svg
-load 732836-1.svg
+pref(svg.use-element.data-url-href.allowed,true) load 732836-1.svg
 load 740627-1.svg
 load 740627-2.svg
 load 743469.svg

modules/libpref/init/StaticPrefList.yaml

@@ -14386,6 +14386,12 @@
   value: 8
   mirror: always
 
+# Whether <svg:use> with a data: URL as href is allowed
+- name: svg.use-element.data-url-href.allowed
+  type: bool
+  value: false
+  mirror: always
+
 #---------------------------------------------------------------------------
 # Prefs starting with "telemetry."
 #---------------------------------------------------------------------------

testing/web-platform/meta/svg/struct/reftests/__dir__.ini

@@ -0,0 +1 @@
+prefs: [svg.use-element.data-url-href.allowed:false]

testing/web-platform/meta/svg/struct/reftests/use-data-url.tentative.svg.ini

@@ -1,2 +0,0 @@
-[use-data-url.tentative.svg]
-  expected: FAIL

testing/web-platform/tests/svg/struct/reftests/use-data-url-set-attributeName.tentative.svg

@@ -0,0 +1,9 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <title>&#x3c;use&#x3e; with a data: URL resource loaded by &#x3c;set attributeName&#x3e;</title>
+  <h:link rel="help" href="https://svgwg.org/svg2-draft/struct.html#UseElementHrefAttribute"/>
+  <h:link rel="match" href="reference/green-100x100.svg"/>
+  <rect width="100" height="100" fill="green"/>
+  <use>
+    <set attributeName="href" to="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxyZWN0IGlkPSJyZWQtcmVjdCIgd2lkdGg9IjEwMCIgaGVpZ2h0PSIxMDAiIGZpbGw9InJlZCIvPgo8L3N2Zz4=#red-rect"/>
+  </use>
+</svg>

testing/web-platform/tests/svg/struct/reftests/use-data-url-setAttribute.tentative.html

@@ -0,0 +1,18 @@
+<!doctype HTML>
+<meta charset="utf-8">
+<title>Testcase for changing a valid &#x3c;use&#x3e; to a data URL:</title>
+<link rel="help" href="https://svgwg.org/svg2-draft/struct.html#UseElementHrefAttribute">
+<link rel="match" href="reference/green-100x100.html">
+<script>
+  function go() {
+    const use = document.querySelector("use");
+    use.setAttribute("href", "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxyZWN0IGlkPSJvcmFuZ2UtcmVjdCIgd2lkdGg9IjEwMCIgaGVpZ2h0PSIxMDAiIGZpbGw9Im9yYW5nZSIvPgo8L3N2Zz4=#orange-rect");
+  }
+</script>
+<body onload="go()">
+  <svg id="mySVG">
+    <rect id="red" width="100" height="100" fill="red"></rect>
+    <rect id="green" width="100" height="100" fill="green"></rect>
+    <use x="100" y="0" href="#red"></use>
+  </svg>
+</body>

testing/web-platform/tests/svg/struct/reftests/use-ref-inside-data-url.tentative.html

@@ -0,0 +1,15 @@
+<!doctype HTML>
+<meta charset="utf-8">
+<title>Testcase for where SVG loaded via data: uses #ref</title>
+<link rel="help" href="https://svgwg.org/svg2-draft/struct.html#UseElementHrefAttribute">
+<link rel="match" href="reference/green-100x100.html">
+<body>
+<!-- base64 SVG source:
+<svg xmlns="http://www.w3.org/2000/svg">
+  <rect id="green-rect" width="100" height="100" fill="green"/>
+  <rect width="100" height="100" fill="red"/>
+  <use href="#green-rect"/>
+</svg>
+-->
+<img src="data:image/svg+xml;charset=utf-8;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPg0KICA8cmVjdCBpZD0iZ3JlZW4tcmVjdCIgd2lkdGg9IjEwMCIgaGVpZ2h0PSIxMDAiIGZpbGw9ImdyZWVuIi8+DQogIDxyZWN0IHdpZHRoPSIxMDAiIGhlaWdodD0iMTAwIiBmaWxsPSJyZWQiLz4NCiAgPHVzZSBocmVmPSIjZ3JlZW4tcmVjdCIvPg0KPC9zdmc+">
+</body>