The experiment was also enabled on 50% of Beta. Wouldn't that catch potential Enterprise breakages?
On Tuesday, May 13, 2025 at 8:25:44 PM UTC+2 Alex Russell wrote: > LGTM3 with the caveat that we likely have risks to enterprise apps that > wouldn't have been visible from the 10% Finch experiement, and so we should > do this on-by-default in Beta for most of a cycle, and make sure that we > have a kill-switch in place in case of potential enterprise breakage in > Stable. > > Best, > > Alex > > On Tuesday, May 13, 2025 at 10:49:45 AM UTC-7 Michał Bentkowski wrote: > >> Thanks! I updated the "Interoperability and Compatibility Risks" already >> on ChromeStatus. >> *--* >> *Cheers,* >> *Michał* >> >> >> On Tue, May 13, 2025 at 7:47 PM Daniel Bratell <brat...@gmail.com> wrote: >> > LGTM2 >>> >>> You left the Compatibility field empty which I don't think is accurate. >>> There is always a risk that sites depend on the exact output of a function >>> so please keep an eye open for any reported issues. >>> >>> /Daniel >>> On 2025-05-13 07:55, 'Michał Bentkowski' via blink-dev wrote: >>> >> Thank you! >>> >>> I added the relevant information on ChromeStatus. >>> *--* >>> *Cheers,* >>> *Michał* >>> >>> >>> On Tue, May 13, 2025 at 7:39 AM Domenic Denicola <dom...@chromium.org> >>> wrote: >>> >>> LGTM1, but please update the following bits on ChromeStatus: >>>> >>>> - Estimated milestones. This is important for ensuring developers >>>> have an accurate picture of when changes like this are rolling out. >>>> Especially if this will be a gradual rollout of some sort, or has >>>> previously been tested in a gradual manner, that information needs to >>>> be >>>> captured. >>>> - Interop and Compat impact: this definitely has compat impact. >>>> Please summarize how this can change the behavior of web pages, and why >>>> we >>>> believe it's safe. (You've done that elsewhere, but recording it in >>>> ChromeStatus is helpful as that's a source of data we consult looking >>>> backward.) >>>> >>>> >>>> >>>> On Tue, May 13, 2025 at 5:17 AM 'Michał Bentkowski' via blink-dev < >>>> blin...@chromium.org> wrote: >>>> >>> >>>>> Out of curiosity, which platforms will this not be supported on, and >>>>> why? >>>>> >>>>> >>>>> Sorry, I put the wrong value there -- it will be supported on all >>>>> platforms. >>>>> >>>>> >>>>> Given that Firefox has implemented this (Nightly-only), as well as >>>>> Safari (not landed yet?), do we know why >>>>> https://github.com/whatwg/html/pull/6362 hasn't been merged yet? >>>>> >>>>> >>>>> Anne left a comment: "We should probably hold off until Chromium has >>>>> actually deployed this?" so I think that's the reason. >>>>> >>>>> >>>>> Thanks, >>>>> Alison >>>>> >>>>> On Friday, May 9, 2025 at 2:18:27 AM UTC-7 Chromestatus wrote: >>>>> >>>>> Contact emails secur...@google.com >>>>> >>>>> Explainer https://github.com/whatwg/html/issues/6235 >>>>> >>>>> Specification https://github.com/whatwg/html/issues/6235 >>>>> >>>>> Summary >>>>> >>>>> Escape "<" and ">" in values of attributes on serialization. This >>>>> mitigates the risk of mutation XSS attacks, which occur when value of an >>>>> attribute is interpreted as a start tag token after being serialized and >>>>> re-parsed. >>>>> >>>>> >>>>> Blink component Blink>HTML>Parser >>>>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EHTML%3EParser%22> >>>>> >>>>> >>>>> TAG review Details are shared on >>>>> https://github.com/whatwg/html/issues/6235. The change was tested >>>>> with Finch, ending on 10% of Stable. No web compat risks were observed. >>>>> The >>>>> only signal we got was that it broke a unit/e2e test which checked the >>>>> exact content of HTML generated by Chromium. >>>>> >>>>> TAG review status Not applicable >>>>> >>>>> Risks >>>>> >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> None >>>>> >>>>> >>>>> *Gecko*: Positive ( >>>>> https://github.com/mozilla/standards-positions/issues/1209) >>>>> >>>>> *WebKit*: Positive (https://github.com/WebKit/WebKit/pull/44842) >>>>> >>>>> *Web developers*: No signals >>>>> >>>>> *Other signals*: >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> >>>>> None >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> None >>>>> >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, ChromeOS, Android, and Android WebView)? No >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ? Yes >>>>> >>>>> Flag name on about://flags enable-experimental-web-platform-features >>>>> >>>>> Finch feature name EscapeLtGtInAttributes >>>>> >>>>> Rollout plan Will ship enabled for all users >>>>> >>>>> Requires code in //chrome? False >>>>> >>>>> Estimated milestones >>>>> >>>>> No milestones specified >>>>> >>>>> >>>>> Anticipated spec changes >>>>> >>>>> Open questions about a feature may be a source of future web compat or >>>>> interop issues. Please list open issues (e.g. links to known github >>>>> issues >>>>> in the project for the feature specification) whose resolution may >>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>> of >>>>> the API in a non-backward-compatible way). >>>>> None >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/6264983847174144?gate=5114900925644800 >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com>. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> >>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>> >>>> >>>>> To view this discussion visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1cd243fc-6071-46d5-8178-132fcd909b10n%40chromium.org >>>>> >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1cd243fc-6071-46d5-8178-132fcd909b10n%40chromium.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> >>> >>> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHamrfXTQ4390_BWE0mcyCsaiOGXN_eEddCBbGfnN3RCcXnB9A%40mail.gmail.com >>> >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHamrfXTQ4390_BWE0mcyCsaiOGXN_eEddCBbGfnN3RCcXnB9A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ead93991-d170-4016-85d9-f01846ede045n%40chromium.org.
