LGTM3 with the caveat that we likely have risks to enterprise apps that wouldn't have been visible from the 10% Finch experiement, and so we should do this on-by-default in Beta for most of a cycle, and make sure that we have a kill-switch in place in case of potential enterprise breakage in Stable.
Best, Alex On Tuesday, May 13, 2025 at 10:49:45 AM UTC-7 Michał Bentkowski wrote: > Thanks! I updated the "Interoperability and Compatibility Risks" already > on ChromeStatus. > *--* > *Cheers,* > *Michał* > > > On Tue, May 13, 2025 at 7:47 PM Daniel Bratell <bratel...@gmail.com> > wrote: > >> LGTM2 >> >> You left the Compatibility field empty which I don't think is accurate. >> There is always a risk that sites depend on the exact output of a function >> so please keep an eye open for any reported issues. >> >> /Daniel >> On 2025-05-13 07:55, 'Michał Bentkowski' via blink-dev wrote: >> >> Thank you! >> >> I added the relevant information on ChromeStatus. >> *--* >> *Cheers,* >> *Michał* >> >> >> On Tue, May 13, 2025 at 7:39 AM Domenic Denicola <dome...@chromium.org> >> wrote: >> >>> LGTM1, but please update the following bits on ChromeStatus: >>> >>> - Estimated milestones. This is important for ensuring developers >>> have an accurate picture of when changes like this are rolling out. >>> Especially if this will be a gradual rollout of some sort, or has >>> previously been tested in a gradual manner, that information needs to be >>> captured. >>> - Interop and Compat impact: this definitely has compat impact. >>> Please summarize how this can change the behavior of web pages, and why >>> we >>> believe it's safe. (You've done that elsewhere, but recording it in >>> ChromeStatus is helpful as that's a source of data we consult looking >>> backward.) >>> >>> >>> >>> On Tue, May 13, 2025 at 5:17 AM 'Michał Bentkowski' via blink-dev < >>> blink-dev@chromium.org> wrote: >>> >>>> >>>> Out of curiosity, which platforms will this not be supported on, and >>>> why? >>>> >>>> >>>> Sorry, I put the wrong value there -- it will be supported on all >>>> platforms. >>>> >>>> >>>> Given that Firefox has implemented this (Nightly-only), as well as >>>> Safari (not landed yet?), do we know why >>>> https://github.com/whatwg/html/pull/6362 hasn't been merged yet? >>>> >>>> >>>> Anne left a comment: "We should probably hold off until Chromium has >>>> actually deployed this?" so I think that's the reason. >>>> >>>> >>>> Thanks, >>>> Alison >>>> >>>> On Friday, May 9, 2025 at 2:18:27 AM UTC-7 Chromestatus wrote: >>>> >>>> Contact emails secur...@google.com >>>> >>>> Explainer https://github.com/whatwg/html/issues/6235 >>>> >>>> Specification https://github.com/whatwg/html/issues/6235 >>>> >>>> Summary >>>> >>>> Escape "<" and ">" in values of attributes on serialization. This >>>> mitigates the risk of mutation XSS attacks, which occur when value of an >>>> attribute is interpreted as a start tag token after being serialized and >>>> re-parsed. >>>> >>>> >>>> Blink component Blink>HTML>Parser >>>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EHTML%3EParser%22> >>>> >>>> >>>> TAG review Details are shared on >>>> https://github.com/whatwg/html/issues/6235. The change was tested with >>>> Finch, ending on 10% of Stable. No web compat risks were observed. The >>>> only >>>> signal we got was that it broke a unit/e2e test which checked the exact >>>> content of HTML generated by Chromium. >>>> >>>> TAG review status Not applicable >>>> >>>> Risks >>>> >>>> >>>> Interoperability and Compatibility >>>> >>>> None >>>> >>>> >>>> *Gecko*: Positive ( >>>> https://github.com/mozilla/standards-positions/issues/1209) >>>> >>>> *WebKit*: Positive (https://github.com/WebKit/WebKit/pull/44842) >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> >>>> None >>>> >>>> >>>> Debuggability >>>> >>>> None >>>> >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, ChromeOS, Android, and Android WebView)? No >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ? Yes >>>> >>>> Flag name on about://flags enable-experimental-web-platform-features >>>> >>>> Finch feature name EscapeLtGtInAttributes >>>> >>>> Rollout plan Will ship enabled for all users >>>> >>>> Requires code in //chrome? False >>>> >>>> Estimated milestones >>>> >>>> No milestones specified >>>> >>>> >>>> Anticipated spec changes >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>> of >>>> the API in a non-backward-compatible way). >>>> None >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/6264983847174144?gate=5114900925644800 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com>. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+unsubscr...@chromium.org. >>>> To view this discussion visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1cd243fc-6071-46d5-8178-132fcd909b10n%40chromium.org >>>> >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1cd243fc-6071-46d5-8178-132fcd909b10n%40chromium.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHamrfXTQ4390_BWE0mcyCsaiOGXN_eEddCBbGfnN3RCcXnB9A%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHamrfXTQ4390_BWE0mcyCsaiOGXN_eEddCBbGfnN3RCcXnB9A%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ed4a1537-637b-4026-a841-66355b70bbe7n%40chromium.org.
