Why does xmlns use http not https?

[nothingismagick]

This is not really an issue per sé, more like a request for information. I noticed that it is normal to see http:// used as a protocol reference to xmlns links and even doctypes. The following is made by affinity designer:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100%" height="100%" viewBox="0 0 1280 1280" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/">

If you visit those links manually (copy / paste) the w3.org site will automatically redirect to https. I am wondering why https is not preferred. Is this going to change with 2.0 ?

I brought it up in a PR here:
mermaid-js/mermaid#940

[heycam]

Thanks for filing the issue.

XML namespace URLs are really opaque identifiers. The fact that some namespace URLs under w3.org resolve to a page describing them is a convenience. It wouldn't be compatible to change these URLs now.

(You might be able to argue for DTD URLs to be updated, since in some XML parsers, those URLs will actually be fetched. But in practice, SVG User Agents don't operate their XML parsers in validating mode, and so never need to use that URL.)

[heycam]

And notably, if you create some content with <svg xmlns="https://www.w3.org/2000/svg">, then browsers and other UAs will not recognize that as a real SVG <svg> element.

[nothingismagick]

Ok - thanks for the insight. So these identifiers are just sort of like fingerprints and meaningless, unless the parser is validating, which most browsers are only performing in a shallow way. I.e. just a string validation looking exactly for e.g. http://www.w3.org/2000/svg and not actually performing a lookup.

[dirkschulze]

@nothingismagick Meaningless for authors but required for user agents. Standalone SVGs are XML document. As @heycam said, those namespaces are identifiers (URI) and not supposed to be interpreted as URLs though the W3C does manage websites with the URL of the same string.

[nothingismagick]

Hmm, this is why:
https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/?preview=true

@dirkschulze

[nothingismagick]

Man in the middle attack an SVG that is being validated?

[BigBadaboom]

That exploit is related specifically to the caching of external entities. And possibly DTDs - it's not clear.

DTDs are the <!DOCTYPE... part of an XML file. They can contain a URL that points to a schema file that describes the format of the XML file. Which elements can be children of other elements etc.

Entities are of the form <!ENTITY.... They can define snippets of XML or text that can be reused within the XML file. External entities are ones that are stored at external to the XML file and are referenced by a URL.

The value inside an xmlns attribute should never be fetched by an XML parser bcause it is not defined to be a URL. It is just an identifier string that identifies the variant of XML. Think of it as being equivalent to a MIME type, or the magic strings such as "JFIF" in a JPEG header.

That attack could potentially affect SVG files. But it is unrelated to the xmlns attribute.