This change seems reasonable, but using the Web-Facing PSA process <https://www.chromium.org/blink/launching-features/#behavior-changes> for it does not seem appropriate, given that Chromium is the first to do this, the specification change is not yet merged, etc. Can you please follow the normal shipping process <https://www.chromium.org/blink/launching-features/#new-feature-process>, and generate an Intent to Ship?
On Fri, May 9, 2025 at 12:43 AM 'Michał Bentkowski' via blink-dev < blink-dev@chromium.org> wrote: > Note: this change has been tested with Finch on 10% on Stable. As far as > I'm aware we didn't receive any complaints. > > The only issue was that if a company has a unit/e2e test that checks the > exact contents of HTML and uses Chromium to that, then the HTML > serialization will be different (which is expected here). Note that the DOM > tree is still the same. > > On Thursday, May 8, 2025 at 5:27:03 PM UTC+2 Chromestatus wrote: > >> Contact emails secur...@google.com >> >> Specification https://github.com/whatwg/html/issues/6235 >> >> Summary >> >> Escape "<" and ">" in values of attributes on serialization. This >> mitigates the risk of mutation XSS attacks, which occur when value of an >> attribute is interpreted as a start tag token after being serialized and >> re-parsed. >> >> >> Blink component Blink>HTML>Parser >> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EHTML%3EParser%22> >> >> TAG review None >> >> TAG review status Not applicable >> >> Risks >> >> >> Interoperability and Compatibility >> >> Please see >> https://github.com/whatwg/html/issues/6235#issuecomment-2315325422 for >> an overview of potential risks. The change has been under a flag for over a >> year and as far as I'm aware, we received zero reports on any breakages. >> I'd like to try to enable this change for a certain percentage of users of >> Beta/Dev channels to find out whether it results in real world breakages. >> >> >> *Gecko*: Positive (https://github.com/whatwg/html/pull/6362) >> >> *WebKit*: No signal >> >> *Web developers*: No signals >> >> *Other signals*: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Debuggability >> >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? Yes >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? Yes >> >> If the change is made, then WPT will have to be updated to reflect it. >> See Chromium-specific test for now: >> https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/html/syntax/serializing-html-fragments/serializing-expected.txt;l=1?q=third_party%2Fblink%2Fweb_tests%2Fexternal%2Fwpt%2Fhtml%2Fsyntax%2Fserializing-html-fragments%2Fserializing-expected.txt%20&sq= >> >> >> Flag name on about://flags enable-experimental-web-platform-features >> >> Finch feature name EscapeLtGtInAttributes >> >> Rollout plan Will ship enabled for all users >> >> Requires code in //chrome? False >> >> Tracking bug >> https://bugs.chromium.org/p/chromium/issues/detail?id=1175016 >> >> Estimated milestones >> >> No milestones specified >> >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> None >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5083926074228736?gate=5072565227225088 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com>. >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f90fe241-475c-45c7-ab89-90c6e659e8b8n%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f90fe241-475c-45c7-ab89-90c6e659e8b8n%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8wtLLsne%3DsO6JQTSOLjYxQbeBk2FA9%3DQJ6nSBFgEhvdQ%40mail.gmail.com.
