Add switch: Do not resolve URLs by defaults for XML

src/libraries/Common/src/System/LocalAppContextSwitches.Common.cs

@@ -55,6 +55,11 @@ private static bool GetSwitchDefaultValue(string switchName)
                 return true;
             }
 
+            if (switchName == "System.Xml.XmlResolver.IsNetworkingEnabledByDefault")
+            {
+                return true;
+            }
+
             return false;
         }
     }

src/libraries/System.Private.Xml/src/ILLink/ILLink.Substitutions.xml

@@ -0,0 +1,8 @@
+<linker>
+  <assembly fullname="System.Private.Xml">
+    <type fullname="System.Xml.LocalAppContextSwitches">
+      <method signature="System.Boolean get_IsNetworkingEnabledByDefault()" body="stub" value="false"
+              feature="System.Xml.XmlResolver.IsNetworkingEnabledByDefault" featurevalue="false" />
+    </type>
+  </assembly>
+</linker>

src/libraries/System.Private.Xml/src/System.Private.Xml.csproj

@@ -6,6 +6,10 @@
     <EnableAOTAnalyzer>false</EnableAOTAnalyzer>
   </PropertyGroup>
 
+  <ItemGroup>
+    <ILLinkSubstitutionsXmls Include="$(ILLinkDirectory)ILLink.Substitutions.xml" />
+  </ItemGroup>
+
   <ItemGroup>
     <Compile Include="$(CommonPath)System\Text\StringBuilderCache.cs" Link="Common\System\StringBuilderCache.cs" />
     <Compile Include="$(CommonPath)System\HexConverter.cs" Link="Common\System\HexConverter.cs" />
@@ -119,7 +123,6 @@
     <Compile Include="System\Xml\XmlComplianceUtil.cs" />
     <Compile Include="System\Xml\XmlConvert.cs" />
     <Compile Include="System\Xml\XmlDownloadManager.cs" />
-    <Compile Include="System\Xml\XmlDownloadManagerAsync.cs" />
     <Compile Include="System\Xml\XmlEncoding.cs" />
     <Compile Include="System\Xml\XmlException.cs" />
     <Compile Include="System\Xml\XmlNamespacemanager.cs" />
@@ -130,10 +133,10 @@
     <Compile Include="System\Xml\XmlQualifiedName.cs" />
     <Compile Include="System\Xml\XmlReservedNs.cs" />
     <Compile Include="System\Xml\XmlResolver.cs" />
+    <Compile Include="System\Xml\XmlResolver.FileSystemResolver.cs" />
     <Compile Include="System\Xml\XmlResolver.ThrowingResolver.cs" />
     <Compile Include="System\Xml\XmlSecureResolver.cs" />
     <Compile Include="System\Xml\XmlUrlResolver.cs" />
-    <Compile Include="System\Xml\XmlUrlResolverAsync.cs" />
     <Compile Include="System\Xml\Core\CharEntityEncoderFallback.cs" />
     <Compile Include="System\Xml\Core\ConformanceLevel.cs" />
     <Compile Include="System\Xml\Core\DtdProcessing.cs" />
@@ -759,10 +762,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <ProjectReference Include="$(LibrariesProjectRoot)System.Text.RegularExpressions\gen\System.Text.RegularExpressions.Generator.csproj"
-                      ReferenceOutputAssembly="false"
-                      SetTargetFramework="TargetFramework=netstandard2.0"
-                      OutputItemType="Analyzer" />
+    <ProjectReference Include="$(LibrariesProjectRoot)System.Text.RegularExpressions\gen\System.Text.RegularExpressions.Generator.csproj" ReferenceOutputAssembly="false" SetTargetFramework="TargetFramework=netstandard2.0" OutputItemType="Analyzer" />
     <Reference Include="System.Collections" />
     <Reference Include="System.Collections.Concurrent" />
     <Reference Include="System.Collections.NonGeneric" />

src/libraries/System.Private.Xml/src/System/Xml/Core/LocalAppContextSwitches.cs

@@ -2,18 +2,19 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Runtime.CompilerServices;
+using SwitchesHelpers = System.LocalAppContextSwitches;
 
-namespace System
+namespace System.Xml
 {
-    internal static partial class LocalAppContextSwitches
+    internal static class LocalAppContextSwitches
     {
         private static int s_dontThrowOnInvalidSurrogatePairs;
         public static bool DontThrowOnInvalidSurrogatePairs
         {
             [MethodImpl(MethodImplOptions.AggressiveInlining)]
             get
             {
-                return GetCachedSwitchValue("Switch.System.Xml.DontThrowOnInvalidSurrogatePairs", ref s_dontThrowOnInvalidSurrogatePairs);
+                return SwitchesHelpers.GetCachedSwitchValue("Switch.System.Xml.DontThrowOnInvalidSurrogatePairs", ref s_dontThrowOnInvalidSurrogatePairs);
             }
         }
 
@@ -23,7 +24,7 @@ public static bool IgnoreEmptyKeySequences
             [MethodImpl(MethodImplOptions.AggressiveInlining)]
             get
             {
-                return GetCachedSwitchValue("Switch.System.Xml.IgnoreEmptyKeySequencess", ref s_ignoreEmptyKeySequences);
+                return SwitchesHelpers.GetCachedSwitchValue("Switch.System.Xml.IgnoreEmptyKeySequencess", ref s_ignoreEmptyKeySequences);
             }
         }
 
@@ -33,7 +34,7 @@ public static bool IgnoreKindInUtcTimeSerialization
             [MethodImpl(MethodImplOptions.AggressiveInlining)]
             get
             {
-                return GetCachedSwitchValue("Switch.System.Xml.IgnoreKindInUtcTimeSerialization", ref s_ignoreKindInUtcTimeSerialization);
+                return SwitchesHelpers.GetCachedSwitchValue("Switch.System.Xml.IgnoreKindInUtcTimeSerialization", ref s_ignoreKindInUtcTimeSerialization);
             }
         }
 
@@ -43,7 +44,7 @@ public static bool LimitXPathComplexity
             [MethodImpl(MethodImplOptions.AggressiveInlining)]
             get
             {
-                return GetCachedSwitchValue("Switch.System.Xml.LimitXPathComplexity", ref s_limitXPathComplexity);
+                return SwitchesHelpers.GetCachedSwitchValue("Switch.System.Xml.LimitXPathComplexity", ref s_limitXPathComplexity);
             }
         }
 
@@ -53,7 +54,17 @@ public static bool AllowDefaultResolver
             [MethodImpl(MethodImplOptions.AggressiveInlining)]
             get
             {
-                return GetCachedSwitchValue("Switch.System.Xml.AllowDefaultResolver", ref s_allowDefaultResolver);
+                return SwitchesHelpers.GetCachedSwitchValue("Switch.System.Xml.AllowDefaultResolver", ref s_allowDefaultResolver);
+            }
+        }
+
+        private static int s_isNetworkingEnabledByDefault;
+        public static bool IsNetworkingEnabledByDefault
+        {
+            [MethodImpl(MethodImplOptions.AggressiveInlining)]
+            get
+            {
+                return SwitchesHelpers.GetCachedSwitchValue("System.Xml.XmlResolver.IsNetworkingEnabledByDefault", ref s_isNetworkingEnabledByDefault);
             }
         }
     }

src/libraries/System.Private.Xml/src/System/Xml/Core/XmlReader.cs

@@ -1612,7 +1612,7 @@ public static XmlReader Create(string inputUri)
 
             // Avoid using XmlReader.Create(string, XmlReaderSettings), as it references a lot of types
             // that then can't be trimmed away.
-            return new XmlTextReaderImpl(inputUri, XmlReaderSettings.s_defaultReaderSettings, null, new XmlUrlResolver());
+            return new XmlTextReaderImpl(inputUri, XmlReaderSettings.s_defaultReaderSettings, null, XmlReaderSettings.GetDefaultPermissiveResolver());
         }
 
         // Creates an XmlReader according to the settings for parsing XML from the given Uri.

src/libraries/System.Private.Xml/src/System/Xml/Core/XmlReaderSettings.cs

@@ -321,7 +321,7 @@ internal XmlReader CreateReader(string inputUri, XmlParserContext? inputContext)
             ArgumentException.ThrowIfNullOrEmpty(inputUri);
 
             // resolve and open the url
-            XmlResolver tmpResolver = GetXmlResolver() ?? new XmlUrlResolver();
+            XmlResolver tmpResolver = GetXmlResolver() ?? GetDefaultPermissiveResolver();
 
             // create text XML reader
             XmlReader reader = new XmlTextReaderImpl(inputUri, this, inputContext, tmpResolver);
@@ -436,7 +436,7 @@ internal XmlReader AddValidation(XmlReader reader)
 
                 if (resolver == null && !IsXmlResolverSet)
                 {
-                    resolver = new XmlUrlResolver();
+                    resolver = GetDefaultPermissiveResolver();
                 }
             }
 
@@ -623,6 +623,11 @@ private XmlReader AddConformanceWrapper(XmlReader baseReader)
             return baseReader;
         }
 
+        internal static XmlResolver GetDefaultPermissiveResolver()
+        {
+            return LocalAppContextSwitches.IsNetworkingEnabledByDefault ? new XmlUrlResolver() : XmlResolver.FileSystemResolver;
+        }
+
         [DoesNotReturn]
         [StackTraceHidden]
         private static void ThrowArgumentOutOfRangeException(string paramName)

src/libraries/System.Private.Xml/src/System/Xml/Core/XmlTextReaderImpl.cs

@@ -2532,7 +2532,7 @@ private bool IsResolverNull
 
         private XmlResolver GetTempResolver()
         {
-            return _xmlResolver ?? new XmlUrlResolver();
+            return _xmlResolver ?? XmlReaderSettings.GetDefaultPermissiveResolver();
         }
 
         internal bool DtdParserProxy_PushEntity(IDtdEntityInfo entity, out int entityId)

src/libraries/System.Private.Xml/src/System/Xml/Core/XmlValidatingReaderImpl.cs

@@ -1082,7 +1082,7 @@ private void SetupValidation(ValidationType valType)
             if (tempResolver == null && !_coreReaderImpl.IsResolverSet)
             {
                 // it is safe to return valid resolver as it'll be used in the schema validation
-                return s_tempResolver ??= new XmlUrlResolver();
+                return s_tempResolver ??= XmlReaderSettings.GetDefaultPermissiveResolver();
             }
 
             return tempResolver;

src/libraries/System.Private.Xml/src/System/Xml/Schema/XmlSchemaSet.cs

@@ -106,7 +106,7 @@ public XmlSchemaSet(XmlNameTable nameTable)
             if (_readerSettings.GetXmlResolver() == null)
             {
                 // The created resolver will be used in the schema validation only
-                _readerSettings.XmlResolver = new XmlUrlResolver();
+                _readerSettings.XmlResolver = XmlReaderSettings.GetDefaultPermissiveResolver();
                 _readerSettings.IsXmlResolverSet = false;
             }
 
@@ -232,7 +232,7 @@ internal Hashtable SchemaLocations
             lock (InternalSyncObject)
             {
                 //Check if schema from url has already been added
-                XmlResolver tempResolver = _readerSettings.GetXmlResolver() ?? new XmlUrlResolver();
+                XmlResolver tempResolver = _readerSettings.GetXmlResolver() ?? XmlReaderSettings.GetDefaultPermissiveResolver();
                 Uri tempSchemaUri = tempResolver.ResolveUri(null, schemaUri);
                 if (IsSchemaLoaded(tempSchemaUri, targetNamespace, out schema))
                 {

src/libraries/System.Private.Xml/src/System/Xml/XmlDownloadManager.cs

@@ -1,13 +1,14 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
 using System.IO;
 using System.Net;
+using System.Net.Http;
+using System.Threading.Tasks;
 
 namespace System.Xml
 {
-    internal sealed partial class XmlDownloadManager
+    internal static class XmlDownloadManager
     {
         internal static Stream GetStream(Uri uri, ICredentials? credentials, IWebProxy? proxy)
         {
@@ -22,5 +23,44 @@ internal static Stream GetStream(Uri uri, ICredentials? credentials, IWebProxy?
                 return GetNonFileStreamAsync(uri, credentials, proxy).GetAwaiter().GetResult();
             }
         }
+
+        internal static Task<Stream> GetStreamAsync(Uri uri, ICredentials? credentials, IWebProxy? proxy)
+        {
+            if (uri.Scheme == "file")
+            {
+                Uri fileUri = uri;
+                return Task.FromResult<Stream>(new FileStream(fileUri.LocalPath, FileMode.Open, FileAccess.Read, FileShare.Read, 1, useAsync: true));
+            }
+            else
+            {
+                return GetNonFileStreamAsync(uri, credentials, proxy);
+            }
+        }
+
+        private static async Task<Stream> GetNonFileStreamAsync(Uri uri, ICredentials? credentials, IWebProxy? proxy)
+        {
+            var handler = new HttpClientHandler();
+            using (var client = new HttpClient(handler))
+            {
+#pragma warning disable CA1416 // Validate platform compatibility, 'credentials' and 'proxy' will not be set for browser, so safe to suppress
+                if (credentials != null)
+                {
+                    handler.Credentials = credentials;
+                }
+                if (proxy != null)
+                {
+                    handler.Proxy = proxy;
+                }
+#pragma warning restore CA1416
+
+                using (Stream respStream = await client.GetStreamAsync(uri).ConfigureAwait(false))
+                {
+                    var result = new MemoryStream();
+                    respStream.CopyTo(result);
+                    result.Position = 0;
+                    return result;
+                }
+            }
+        }
     }
 }

src/libraries/System.Private.Xml/src/System/Xml/XmlResolver.FileSystemResolver.cs

@@ -0,0 +1,54 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.IO;
+using System.Threading.Tasks;
+
+namespace System.Xml
+{
+    public abstract partial class XmlResolver
+    {
+        /// <summary>
+        /// Gets an XML resolver which resolves only file system URIs.
+        /// </summary>
+        /// <value>An XML resolver which resolves only file system URIs.</value>
+        /// <remarks>
+        /// Calling <see cref="GetEntity"/> or <see cref="GetEntityAsync"/> on the
+        /// <see cref="XmlResolver"/> instance returned by this property will resolve only URIs which scheme is file.
+        /// </remarks>
+        public static XmlResolver FileSystemResolver => XmlFileSystemResolver.s_singleton;
+
+        // An XML resolver that resolves only file system URIs.
+        private sealed class XmlFileSystemResolver : XmlResolver
+        {
+            internal static readonly XmlFileSystemResolver s_singleton = new();
+
+            // Private constructor ensures existing only one instance of XmlFileSystemResolver
+            private XmlFileSystemResolver() { }
+
+            public override object? GetEntity(Uri absoluteUri, string? role, Type? ofObjectToReturn)
+            {
+                if ((ofObjectToReturn is null || ofObjectToReturn == typeof(Stream) || ofObjectToReturn == typeof(object))
+                    && absoluteUri.Scheme == "file")
+                {
+                    return new FileStream(absoluteUri.LocalPath, FileMode.Open, FileAccess.Read, FileShare.Read, 1);
+                }
+
+                throw new XmlException(SR.Xml_UnsupportedClass, string.Empty);
+            }
+
+            public override Task<object> GetEntityAsync(Uri absoluteUri, string? role, Type? ofObjectToReturn)
+            {
+                if (ofObjectToReturn == null || ofObjectToReturn == typeof(Stream) || ofObjectToReturn == typeof(object))
+                {
+                    if (absoluteUri.Scheme == "file")
+                    {
+                        return Task.FromResult<object>(new FileStream(absoluteUri.LocalPath, FileMode.Open, FileAccess.Read, FileShare.Read, 1, useAsync: true));
+                    }
+                }
+
+                throw new XmlException(SR.Xml_UnsupportedClass, string.Empty);
+            }
+        }
+    }
+}