Hi all! I received some bug reports about Sanitizer API during the beta phase, and will disable the flag for M145 again to take care of the bugs first. I'll try to get it all fixed & included again in M146.
On Mon, Dec 15, 2025 at 3:40 PM Chromestatus < [email protected]> wrote: > *Contact emails* > [email protected] > > *Explainer* > https://github.com/WICG/sanitizer-api/blob/main/explainer.md > > *Specification* > https://wicg.github.io/sanitizer-api > > *Summary* > The Sanitizer API offers an easy to use and safe by default HTML Sanitizer > API, which developers can use to remove content that may execute script > from arbitrary, user-supplied HTML content. The goal is to make it easier > to build XSS-free web applications. This follows previous attempts at > establishing a Sanitizer API ( > https://chromestatus.com/feature/5786893650231296), which we unshipped > again (https://chromestatus.com/feature/5115076981293056). The > specification has meanwhile progressed and now has widespread support. > > *Blink component* > Blink>SecurityFeature>SanitizerAPI > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3ESanitizerAPI%22> > > *Web Feature ID* > SanitizerAPI <https://webstatus.dev/features/SanitizerAPI> > > *Motivation* > User input sanitization is a necessary and common activity of many web > applications, but it's difficult to get right. As a component of the web > platform it's easier to harden the sanitizer implementation and keep it > up-to-date. Offering a high-quality sanitizer with good defaults (without > blocking developers from using their own, if they choose) would improve > security, and make it more accessible. > > *Initial public proposal* > https://wicg.github.io/sanitizer-api/ > > *TAG review* > https://github.com/w3ctag/design-reviews/issues/619 > > *TAG review status* > Issues addressed > > *Risks* > > > *Interoperability and Compatibility* > *No information provided* > > *Gecko*: Positive ( > https://github.com/mozilla/standards-positions/issues/106) Sanitizer API > is enabled in Firefox nightly: > https://www.firefox.com/en-US/firefox/148.0a1/releasenotes/ > > *WebKit*: Support (https://github.com/WebKit/standards-positions/issues/86 > ) > > *Web developers*: No signals > > *Other signals*: HTML: stage 2. ( > https://github.com/whatwg/html/issues/7197) TAG, early design review: > https://github.com/w3ctag/design-reviews/issues/619 > > *Security* > https://wicg.github.io/sanitizer-api/#security-considerations > > *WebView application risks* > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > *No information provided* > > > *Debuggability* > These APIs are readily accessible and testable using DevTools. > > *Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)?* > Yes > > *Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* > Yes > > https://wpt.fyi/results/sanitizer-api?label=experimental&label=master&aligned > > *Flag name on about://flags* > *No information provided* > > *Finch feature name* > SanitizerAPI > > *Rollout plan* > Will ship enabled for all users > > *Requires code in //chrome?* > False > > *Tracking bug* > https://issues.chromium.org/issues/40138584 > > *Estimated milestones* > Shipping on desktop 145 > Shipping on Android 145 > Shipping on WebView 145 > > *Anticipated spec changes* > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > We expect to "upstream" the current WICG specification to become part of > HTML proper. See: https://github.com/whatwg/html/issues/7197 > > *Link to entry on the Chrome Platform Status* > https://chromestatus.com/feature/5814067399491584?gate=5398359461068800 > > *Links to previous Intent discussions* > Intent to Prototype: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPP0LBdNCieNydc6dfObByS2kCg1B2yvd6eZJHGTkW%2Bd-w%40mail.gmail.com > > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com>. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNqJT4jL5cnrAnu%2BZa5ghYzZ9w4Ma__RmbNMnjo2wT%2B_Q%40mail.gmail.com.
