Note that Mozilla is already working on their implementation for Firefox: https://groups.google.com/a/mozilla.org/g/dev-platform/c/S01KRQ_NpDU Actually, they've already implemented it (behind a pref), see https://bugzilla.mozilla.org/show_bug.cgi?id=1941347.
Sebastian On Friday, May 9, 2025 at 1:17:19 AM UTC+2 dom...@chromium.org wrote: > This change seems reasonable, but using the Web-Facing PSA process > <https://www.chromium.org/blink/launching-features/#behavior-changes> for > it does not seem appropriate, given that Chromium is the first to do > this, the specification change is not yet merged, etc. Can you please > follow the normal shipping process > <https://www.chromium.org/blink/launching-features/#new-feature-process>, > and generate an Intent to Ship? > > On Fri, May 9, 2025 at 12:43 AM 'Michał Bentkowski' via blink-dev < > blin...@chromium.org> wrote: > >> Note: this change has been tested with Finch on 10% on Stable. As far as >> I'm aware we didn't receive any complaints. >> >> The only issue was that if a company has a unit/e2e test that checks the >> exact contents of HTML and uses Chromium to that, then the HTML >> serialization will be different (which is expected here). Note that the DOM >> tree is still the same. >> >> On Thursday, May 8, 2025 at 5:27:03 PM UTC+2 Chromestatus wrote: >> >>> Contact emails secur...@google.com >>> >>> Specification https://github.com/whatwg/html/issues/6235 >>> >>> Summary >>> >>> Escape "<" and ">" in values of attributes on serialization. This >>> mitigates the risk of mutation XSS attacks, which occur when value of an >>> attribute is interpreted as a start tag token after being serialized and >>> re-parsed. >>> >>> >>> Blink component Blink>HTML>Parser >>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EHTML%3EParser%22> >>> >>> >>> TAG review None >>> >>> TAG review status Not applicable >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> Please see >>> https://github.com/whatwg/html/issues/6235#issuecomment-2315325422 for >>> an overview of potential risks. The change has been under a flag for over a >>> year and as far as I'm aware, we received zero reports on any breakages. >>> I'd like to try to enable this change for a certain percentage of users of >>> Beta/Dev channels to find out whether it results in real world breakages. >>> >>> >>> *Gecko*: Positive (https://github.com/whatwg/html/pull/6362) >>> >>> *WebKit*: No signal >>> >>> *Web developers*: No signals >>> >>> *Other signals*: >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> None >>> >>> >>> Debuggability >>> >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, ChromeOS, Android, and Android WebView)? Yes >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ? Yes >>> >>> If the change is made, then WPT will have to be updated to reflect it. >>> See Chromium-specific test for now: >>> https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/html/syntax/serializing-html-fragments/serializing-expected.txt;l=1?q=third_party%2Fblink%2Fweb_tests%2Fexternal%2Fwpt%2Fhtml%2Fsyntax%2Fserializing-html-fragments%2Fserializing-expected.txt%20&sq= >>> >>> >>> Flag name on about://flags enable-experimental-web-platform-features >>> >>> Finch feature name EscapeLtGtInAttributes >>> >>> Rollout plan Will ship enabled for all users >>> >>> Requires code in //chrome? False >>> >>> Tracking bug >>> https://bugs.chromium.org/p/chromium/issues/detail?id=1175016 >>> >>> Estimated milestones >>> >>> No milestones specified >>> >>> >>> Anticipated spec changes >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> None >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5083926074228736?gate=5072565227225088 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com>. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f90fe241-475c-45c7-ab89-90c6e659e8b8n%40chromium.org >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f90fe241-475c-45c7-ab89-90c6e659e8b8n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/15cdde89-cef4-4cbd-bbee-018a898660b2n%40chromium.org.
