LGTM

On Fri, Jun 26, 2026 at 2:01 PM Mason Freed <[email protected]> wrote:

> Standard template below. But note that this is a request for a deprecation
> trial
> <https://developer.chrome.com/docs/web-platform/chrome-deprecation#:~:text=default%20from%20Chrome.-,Deprecation%20trial,-This%20is%20a>,
> starting M152 and going until M175. That's inline with the posted timeline
> <https://developer.chrome.com/docs/web-platform/deprecating-xslt#timeline_for_chrome>,
> allowing affected sites plenty of extra time to migrate away from XSLT, in
> case they cannot migrate before the feature is disabled by default in M158
> (Nov, 2026). Also note that this deprecation trial is being requested
> several milestones early to allow plenty of time to test before the feature
> is disabled.
>
> -----
> *Contact emails*
> [email protected]
>
> *Explainer*
> *No information provided*
>
> *Specification*
> *No information provided*
>
> *Design docs*
> *No information provided*
> https://github.com/whatwg/html/issues/11523
>
> *Summary*
> [XSLT v1.0](https://www.w3.org/TR/xslt-10/), which all browsers adhere
> to, was standardized in 1999. In the meantime, XSLT has evolved to v2.0 and
> v3.0, adding features, and growing apart from the old version frozen into
> browsers. This lack of advancement, coupled with the rise of JavaScript
> libraries and frameworks that offer more flexible and powerful DOM
> manipulation, has led to a significant decline in the use of client-side
> XSLT. Its role within the web browser has been largely superseded by
> JavaScript-based technologies, such as JSON and React. Chromium uses the
> **libxslt** library to process these transformations, and [libxslt was
> unmaintained](
> https://discourse.gnome.org/t/stepping-down-as-libxslt-maintainer/27615)
> for ~6 months of 2025. Libxslt is a complex, aging C codebase of the type
> notoriously susceptible to memory safety vulnerabilities like buffer
> overflows, which can lead to arbitrary code execution. Because client-side
> XSLT is now a niche, rarely-used feature, these libraries receive far less
> maintenance and security scrutiny than core JavaScript engines, yet they
> represent a direct, potent attack surface for processing untrusted web
> content. Indeed, XSLT is the source of several recent high-profile security
> exploits that continue to put browser users at risk. For these reasons,
> Chromium (along with both other browser engines) plans to deprecate and
> remove XSLT from the web platform. For more details, see this [Chrome for
> Developers article](
> https://developer.chrome.com/docs/web-platform/deprecating-xslt).
>
> *Blink component*
> Blink>XML
> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EXML%22>
>
> *Web Feature ID*
> xslt <https://webstatus.dev/features/xslt>
>
> *TAG review*
> *No information provided*
>
> *TAG review status*
> Not applicable
>
> *Goals for experimentation*
> The tentative deprecation/removal plan would be as follows: - M142 (Oct
> 28, 2025): Early warning console messages added to Chrome. - M143 (Dec 2,
> 2025): Official deprecation of the API - deprecation warning messages begin
> to show in the console and in lighthouse. - M148 (March 10, 2026 Canary):
> Canary, Dev, and Beta releases begin disabling XSLT by default, as an
> early-warning. - M152 (Aug 25, 2026): Origin Trial (OT) and Enterprise
> Policy (EP) go live for testing. These allow sites and enterprises to
> continue using features past the removal date. - M158 (Nov 17, 2026): XSLT
> stops functioning on Stable releases, for all users other than Origin Trial
> and Enterprise Policy participants. - M176 (Aug 17, 2027): Origin Trial and
> Enterprise Policy stop functioning. XSLT is disabled for all users.
>
> *Risks*
>
>
> *Interoperability and Compatibility*
> Removal of this feature constitutes a compat risk, since sites that use
> XSLT will stop working when the feature is removed. Mitigations include a
> very long deprecation window, a polyfill, lots of outreach, and both origin
> trials and enterprise policies to allow sites even more time to migrate.
> The polyfill (https://github.com/mfreed7/xslt_polyfill) is specifically
> built to mimic the existing behavior of Chrome as closely as possible. In
> most cases, it is a single-line drop-in fix for a lack of XSLT in the
> browser. According to my analysis, about 75% of sites that hit the use
> counter don't appear to be visibly broken. Of the 25% that do appear broken
> in some way (e.g. some components not rendering, or raw XML output instead
> of transformed HTML), 82% have their functionality restored by the addition
> of the polyfill. Of the 18% that can't use the polyfill, the primary reason
> seems to be CORS restrictions, as detailed in the polyfill documentation.
> And even if site owners take no action, individual users can install the
> browser extension(https://github.com/mfreed7/xslt_extension), which uses
> the polyfill, to get back full functionality.
>
> *Gecko*: Positive (
> https://github.com/whatwg/html/issues/11523#issuecomment-3149788558)
>
> *WebKit*: Positive (
> https://github.com/whatwg/html/issues/11523#issuecomment-3149280766)
>
> *Web developers*: Negative (
> https://github.com/whatwg/html/issues/11523#issuecomment-3150969971) Existing
> users of XSLT are understandably negative on this removal, and have been
> very vocal about it on the standards issue and elsewhere. There are also
> mixed/positive reactions from some folks in the public discussions, who
> seem to agree with the removal of XSLT from browsers. But the
> average/overall developer opinion (as measured by comments on public
> threads) is negative. Various public discussions: -
> https://news.ycombinator.com/item?id=44952185 -
> https://www.reddit.com/r/programming/comments/1mxdm22/xslt_removal_will_break_multiple_government_and/
>  - https://news.ycombinator.com/item?id=44987346 -
> https://news.ycombinator.com/item?id=44987552 -
> https://news.ycombinator.com/item?id=44987239 -
> https://news.ycombinator.com/item?id=44909599
>
> *Other signals*:
>
> *Activation*
> See above - the polyfill and extension will ease the migration burden.
>
> *Security*
> This removal constitutes a big win for security, in that it removes a
> highly-vulnerable external library from Chromium.
>
> *WebView application risks*
>
> Does this intent deprecate or change behavior of existing APIs, such that
> it has potentially high risk for Android WebView-based applications?
> In the same way that this poses a compat risk on the open web, it poses a
> risk for WebView applications.
>
>
> *Ongoing technical constraints*
> *No information provided*
>
> *Debuggability*
> *No information provided*
>
> *Will this feature be supported on all six Blink platforms (Windows, Mac,
> Linux, ChromeOS, Android, and Android WebView)?*
> Yes
>
> *Is this feature fully tested by web-platform-tests
> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?*
> Yes
> These tests verify the functionality of XSLT. They will need to be
> changed/removed: https://wpt.fyi/results/dom/xslt
>
> *Flag name on about://flags*
> XSLT
>
> *Finch feature name*
> XSLT
>
> *Requires code in //chrome?*
> False
>
> *Tracking bug*
> https://crbug.com/435623334
>
> *Estimated milestones*
> Origin trial desktop first 152
> Origin trial desktop last 175
> DevTrial on desktop 143
> Origin trial Android first 152
> Origin trial Android last 175
> DevTrial on Android 143
> Origin trial WebView first 152
> Origin trial WebView last 175
> Rollout step 1 176
> Rollout step 2 143
> Rollout step 3 152
> Rollout step 4 158
>
> *Link to entry on the Chrome Platform Status*
> https://chromestatus.com/feature/4709671889534976?gate=5148216907661312
>
> This intent message was generated by Chrome Platform Status
> <https://chromestatus.com/>.
>
> --
> You received this message because you are subscribed to the Google Groups
> "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion visit
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDhO%3D2mNq8QyzU5Ah9z8FR6pO9tct9G_prKD6bdtAE7cwA%40mail.gmail.com
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDhO%3D2mNq8QyzU5Ah9z8FR6pO9tct9G_prKD6bdtAE7cwA%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_y-z_SFYyxGf0vcQ5xZL6VLh5Uiw-48m2OfAvGe-F_aA%40mail.gmail.com.

Reply via email to