[blink-dev] Web-Facing Change PSA: Escape "<" and ">" in attributes on serialization

Contact emails securit...@google.com Specification https://github.com/whatwg/html/issues/6235 Summary Escape "<" and ">" in values of attributes on serialization. This mitigates the risk of mutation XSS attacks, which occur when value of an attribute is interpreted as a start tag token after

[blink-dev] PSA: HTMLFencedFrameElement.canLoadOpaqueURL() to be removed

The functionality of canLoadOpaqueURL() was replaced with navigator.canLoadAdAuctionFencedFrame() in 2023. Calling the canLoadOpaqueURL() API has resulted in a deprecation console warning

Re: [blink-dev] Re: Intent to Implement and Ship: isSecurePaymentConfirmationAvailable API

LGTM3 Sorry this fell off our radar (was due to re-using the existing chromestatus entry so looked fully approved in tooling already). On Wed, Apr 30, 2025 at 7:09 AM Mike Taylor wrote: > LGTM2 > On 4/28/25 5:43 PM, Chris Harrelson wrote: > > LGTM1. Please make sure to ping the standards positi

[blink-dev] Re: Web-Facing Change PSA: Escape "<" and ">" in attributes on serialization

Note: this change has been tested with Finch on 10% on Stable. As far as I'm aware we didn't receive any complaints. The only issue was that if a company has a unit/e2e test that checks the exact contents of HTML and uses Chromium to that, then the HTML serialization will be different (which is

Re: [blink-dev] Re: Intent to Ship: CSS Custom Functions (@function)

LGTM3 On Wednesday, May 7, 2025 at 4:51:41 PM UTC+2 Daniel Bratell wrote: > LGTM2 > > /Daniel > On 2025-05-06 20:36, Mike Taylor wrote: > > Thanks for the updates. > > LGTM1 > On 5/6/25 4:41 AM, Anders Hartvoll Ruud wrote: > > See updates inline: > > On Wed, Feb 26, 2025 at 10:10 PM Anders Hartvo

Re: [blink-dev] Intent to Ship: Pass 'Sec-Purpose: prefetch' header with

On Thu, May 8, 2025 at 11:11 PM Chromestatus < ad...@cr-status.appspotmail.com> wrote: > Contact emails steven...@microsoft.com > > Explainer https://github.com/w3c/resource-hints/issues/74 > > Specification > https://chromium-review.googlesource.com/c/chromium/src/+/6334746 That's not a specifi

[blink-dev] Intent to Ship: Pass 'Sec-Purpose: prefetch' header with

Contact emails steven...@microsoft.com Explainer https://github.com/w3c/resource-hints/issues/74 Specification https://chromium-review.googlesource.com/c/chromium/src/+/6334746 Summary Chrome currently passes both 'Purpose: prefetch' and 'Sec-Purpose: prefetch' headers as part of prefetch t

[blink-dev] Ready for Developer Testing: Modulepreload Referrer Header Fix

Contact emails hjanusc...@gmail.com Explainer None Specification https://html.spec.whatwg.org/multipage/webappapis.html#concept-script-fetch-options-referrer-policy Summary Fixes modulepreload to properly send referrer headers by using ClientReferrerString() instead of NoReferrer(). This al

Re: [blink-dev] Re: Web-Facing Change PSA: Escape "<" and ">" in attributes on serialization

This change seems reasonable, but using the Web-Facing PSA process for it does not seem appropriate, given that Chromium is the first to do this, the specification change is not yet merged, etc. Can you please follow the normal s