This is probably not super-concerning from a security perspective -- the referenced bug (bug 1754522) ended up being viewed more as a compat issue than as a sec issue, per bug 1754522 comment 19 and surrounding comments (e.g. bug 1754522 comment 23 where the reporter seems to note that Firefox at-that-time was technically matching the spec. Here, as with bug 1754522, I think our behavior (which in this case matches at least one other browser) is correct per-spec.... Script elements are blocked due to this note in the spec: `Within a use-element shadow tree, ‘script’ elements are inert (do not execute).` https://svgwg.org/svg2-draft/struct.html#UseElement ...and that's why we blocked `iframe` elements as well in the referenced bug. That wouldn't automatically imply that event handlers like `onerror`, `onclick`, etc. should be blocked, though. In fact the spec has a whole section on **how event handlers should work** in `<use>` shadow trees (implying that they should work): https://svgwg.org/svg2-draft/struct.html#UseEventHandling At first glance, I think that spec section **requires** `onerror` (and `onclick`, etc) to work in a `use` shadow-tree, in the way that it currently does in WebKit/Gecko, unless I'm missing something...
Bug 1912763 Comment 6 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
This is probably not super-concerning from a security perspective -- the referenced bug (bug 1754522) ended up being viewed more as a compat issue than as a sec issue, per bug 1754522 comment 19 and surrounding comments (e.g. bug 1754522 comment 23 where emilio and the reporter seem to note that Firefox at-that-time was technically matching the spec. Here, as with bug 1754522, I think our behavior (which in this case matches at least one other browser) is also correct per-spec.... Script elements are blocked due to this note in the spec: `Within a use-element shadow tree, ‘script’ elements are inert (do not execute).` https://svgwg.org/svg2-draft/struct.html#UseElement ...and that's why we blocked `iframe` elements as well in bug 1754522. That wouldn't automatically imply that event handlers like `onerror`, `onclick`, etc. should be blocked, though. (Though I do see the logic in expecting that they might be blocked.) In fact, the spec has a whole section on **how event handlers should work** in `<use>` shadow trees (implying that they should work): https://svgwg.org/svg2-draft/struct.html#UseEventHandling So at first glance, I think that spec section **requires** `onerror` (and `onclick`, etc) to work in a `use` shadow-tree, in the way that it currently does in WebKit/Gecko, unless I'm missing something...