Chrome synchronously fetches external XML entities/DTDs and incorporates them into parsing under specific circumstances. I propose to remove this functionality. http/tests/security/contentTypeOptions/xml-external-entity.xml gives an example: External entities can be defined in the trailing part of the DOCTYPE statement - and then refer to resources that are to be synchronously loaded and included as context when parsing XML. Another syntax example would be a DOCTYPE that, using the SYSTEM keyword followed by a URL pointing to a DTD which contains additional entity definitions. Such external load requests are passed up from the parser. According to https://www.w3.org/TR/xml/#proc-types non-validating processor are not required to read external entities. We plan to deprecate loading of external entity definitions in XML documents that do not use XSLT.
The usage has continuously decreased and is at an extremely low level of 0.000015, compare: https://chromestatus.com/metrics/feature/timeline/popularity/529 We intend to improve the security of XML parsing in Chrome. (See internal go/chrome_x_mitigation). In this effort, we intend to replace libxml2 as the XML parser with an XML parser written in Rust (crate "xml"). The Rust-based XML parser we intend to migrate to, does not support external entities and we don't think it's necessary or desirable to implement this feature. Synchronous loads during parsing are considered inefficient, and can be avoided by inlining the needed entity definitions. As usage is so low, Firefox never supported this, I propose to deprecate in 144, and remove in 145.