Intent to Deprecate and Remove: Externally loaded entities in XML parsing

[Dominik Röttsches]

Contact emails
dr...@chromium.org

Explainer
No information provided

Specification
https://www.w3.org/TR/xml/#proc-types

Summary
Chrome synchronously fetches external XML entities/DTDs and incorporates them into parsing under specific circumstances. I propose to remove this functionality. 

Test case xml-external-entity.xml gives an example: 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"
[
<!ENTITY entity_application_xml_external_parsed_entity SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity">
...

External entities can be defined in the trailing part of the DOCTYPE statement - and then refer to resources that are to be synchronously loaded and included as context when parsing XML. 

Another syntax example would be a DOCTYPE that, using the SYSTEM keyword followed by a URL pointing to a DTD which contains additional entity definitions. 

Such external load requests are passed up from the parser and allowed only if they are a same origin request and the response mimetype matches: application/xml-external-parsed-entity. 

According to https://www.w3.org/TR/xml/#proc-types non-validating processor are not required to read external entities.

Blink component
DOM

Web Feature ID
Falls under XML feature group, but did not see a specific parsing feature.

Motivation
The usage has continuously decreased and is at an extremely low level of 0.000015, compare: https://chromestatus.com/metrics/feature/timeline/popularity/529 We intend to improve the security of XML parsing in Chrome. (See internal go/chrome_x_mitigation). 

In this effort, we intend to replace libxml2 as the XML parser with an XML parser written in Rust (crate "xml"). The Rust-based XML parser we intend to migrate to, does not support external entities and we don't think it's necessary or desirable to implement this feature. 

Synchronous loads during parsing are considered inefficient, and can be avoided by inlining the needed entity definitions. 

As usage is so low, Firefox never supported this, I propose to deprecate in 144, and remove in 145.

Initial public proposal
No information provided

Debuggability
Parsing success/failure is debuggable, same as before.

Requires code in //chrome?
No

Tracking bug
https://crbug.com/455813733

Estimated milestones

Starting deprecation in 144

Shipping on desktop 144 
Shipping on Android 144
Shipping on WebView 144

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6734457763659776?gate=4825690713227264

This intent message was generated by Chrome Platform Status.

[Chris Harrelson]

Hi, could you file a position request with webkit?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN6muBt5G1ZbUby1i3PBt0qUK0%3DkPj8%2BhHeVbQcZ3xgnnvKKBQ%40mail.gmail.com.

[Daniel Bratell]

That is a very low use counter indeed, and from its linear behaviour, it looks like it might go away by itself within a year.

Considering the low counter, that it has not been supported by Mozilla, and that it might not actually affect production code, I think it's ok to try to remove it before the XML parser replacement forces it. The normal caveats with "keep an eye out for feedback" apply.

LGTM1 to deprecate and remove one milestone later.

/Daniel

[Daniel Bratell]

I just realized that there was no Finch flag section in the template. There should be one right?

(Also note what Chris said, the feature needs to be moved to the right stage in chromestatus and various reviews kicked off)

/Daniel

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/86df97b8-566d-4d26-b2a8-a398a6faceaf%40gmail.com.

[PhistucK]

I am a little unclear about whether "it might not actually affect production code" (that Daniel wrote) is the case. When those URLs are ignored, it sounds like there could be a parsing error and things might stop working, right?

☆PhistucK

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f5d61294-6d97-421d-ad70-e53772cba11c%40gmail.com.

[Dominik Röttsches]

Thanks for the feedback so far.

On Wed, Nov 5, 2025 at 3:57 PM Chris Harrelson <chri...@chromium.org> wrote:

Hi, could you file a position request with webkit?

Sure, filed as https://github.com/WebKit/standards-positions/issues/572

On Wed, Nov 5, 2025 at 6:47 PM Daniel Bratell <brat...@gmail.com> wrote:

I just realized that there was no Finch flag section in the template. There should be one right?

Finch flag is XMLNoExternalEntities - updated in Chromestatus entry.