| ▲ | shakna 2 days ago |
| As of the next version of Chrome, XSLT will be gated behind a flag. Google have also asked for it to be removed from the standard [0]. [0] https://github.com/WHATWG/html/issues/11523 |
|
| ▲ | chrismorgan 2 days ago | parent | next [-] |
| > As of the next version of Chrome, XSLT will be gated behind a flag. Citation? That would greatly surprise me in its abruptness and severity (they only just started talking about it this month, and acknowledge it’s particularly risky for enterprise) and https://chromestatus.com/feature/4709671889534976 gives no such indication. |
| |
| ▲ | shakna 2 days ago | parent [-] | | The meeting referenced there, from March not last month, also gives no indication that they'd go ahead and make any moves - "stick a pin in it". But they did anyway. [0] panos: next item, removing XSLT. There are usage numbers. stephen: I have concerns. I kept this up to date historically for Chromium, and I don't trust the use counters based on my experience. Total usage might be higher. dan: even if the data were accurate, not enough zeros for the usage to be low enough. mason: is XSLT supported officially? simon: supported mason: maybe we could just mark it deprecated in the spec, to make the statement that we're not actively working on it. brian: we could do that on MDN too. This would be the first time we have something baseline widely available that we've marked as removed. dan: maybe we could offer helpful pointers to alternatives that are better, and why they're better. panos: maybe a question for olli. But I like brian's suggestion to mark it in all the places. dan: it won't go far unless developers know what to use instead. brian: talk about it in those terms also. Would anyone want to come on the podcast and talk about it? I'm guessing people will have objections. emilio: we have a history of security bugs, etc. stephen: yeah that was a big deal mason: yeah we get bugs about it and have to basically ignore them, which sucks brian: people do use it and some like it panos: put a pin in it, and talk with olli next time? panos: next thing is file upload control rendering [0] https://github.com/whatwg/html/issues/11146#issuecomment-275... | | |
| ▲ | magicalist 2 days ago | parent | next [-] | | > But they did anyway. Did what? The GP asked for a citation for XSLT support going behind a flag in the next version of Chrome, but you forgot to add that. As best as I can tell, the GP is right and you're confused. | | |
| ▲ | troupo a day ago | parent [-] | | Tracking issue: https://issues.chromium.org/issues/435623334 Add flag to disable XSLT: https://chromium-review.googlesource.com/c/chromium/src/+/68... It's approved, I don't know which release it will be. Additionally, quote from the GitHub discussion: --- start quote --- Q: why has Chrome already started working on removing the feature from the browser? A: To explore the effects of removal. It's hard to tell what will break without being able to turn it off and see. https://github.com/whatwg/html/issues/11582#issuecomment-320... --- end quote --- | | |
| ▲ | afavour a day ago | parent [-] | | > The GP asked for a citation for XSLT support going behind a flag in the next version of Chrome > Add flag to disable XSLT Two very different things. OP is talking about XSLT support going behind a flag, you’re citing XSLT deprecation going behind a flag. The default state matters (and the default state is undeprecated) It makes sense that the Chrome team would do what they’re doing, otherwise it’s very difficult for anyone to assess the impact of XSLT deprecation. | | |
| ▲ | chrismorgan a day ago | parent | next [-] | | I’d reword that: Google haven’t deprecated it (yet), they’ve added a flag whereby you can disable it (which, at this stage, is only being used by a test). “Deprecate” has a specific meaning, largely unrelated to actual removal (though depending on the convention it may be expected to lead to it after some time). | |
| ▲ | troupo a day ago | parent | prev [-] | | > OP is talking about XSLT support going behind a flag, you’re citing XSLT deprecation going behind a flag. Literally from my link: --- start quote --- Add a feature flag to disable XSLT This adds a feature flag that disables: - XSLTProcessor - XSLT Processing Instructions --- end quote --- | | |
| ▲ | afavour a day ago | parent [-] | | Literally from my comment: > The default state matters (and the default state is undeprecated) OP said “ But they did anyway”, and they did not |
|
|
|
| |
| ▲ | chrismorgan 2 days ago | parent | prev [-] | | By “started talking about it this month” I meant this specific advocation for removing it. Yes, it’s been talked about for years, but this time it’s specific. | | |
| ▲ | shakna 2 days ago | parent [-] | | > brian: we could do that on MDN too. This would be the first time we have something baseline widely available that we've marked as removed. They were advocating for removing it. And it was specific. And is labelled by the Chromium report you mentioned as the cause. It wasn't "this month". | | |
| ▲ | chrismorgan a day ago | parent [-] | | Again, that’s prior discussion. It’s happened a few times over the last few years. Then another few months pass, and one of the agitators goes about formally proposing removing it, so that finally it isn’t just murmurings more or less behind closed doors, but out in public for the developers to clamour about. That’s where we are this month. | | |
| ▲ | shakna a day ago | parent [-] | | Again, that prior discussion that you're dismissing as irrelevant - is the discussion the Chromium report links to! I don't think that can really get more definitive as cause and effect. | | |
| ▲ | chrismorgan a day ago | parent [-] | | I’m not calling it irrelevant, just not part of the actual proposal and ensuing furore, which began this month. We discover there have been mutterings of this for years, and certainly those things led up to it, but this was the first public intimation. They don’t ever say “hi public, we know this is the first you’ve heard about it, but we’re removing a major feature next month”, which is basically what you were claiming (or what it amounted to). Far simpler and less controversial changes have taken many months to be shipped. | | |
| ▲ | shakna 14 hours ago | parent [-] | | Again, Google themselves say it was part of the discussion and where things started. So why do you know better than the Chromium team? |
|
|
|
|
|
|
|
|
| ▲ | simpaticoder 2 days ago | parent | prev | next [-] |
| It's kind of too bad XSLT didn't take off. It is quite complex, until you compare it to the complexity of what now solves this problem (e.g. a build step with React and webpack and javascript absolutely required on the client-side). As the OP ably demonstrates, XSLT provides a declarative, non-javascript, non-build way to solve the basic HTML component problem. Perhaps a devastating 0-day in V8 will make us really, really want an alternative to the current best practice. |
| |
| ▲ | shakna 2 days ago | parent | next [-] | | Whilst I can't be certain, I've been hearing that part of Google's want to move away from XSLT is two-fold - and relates to the idea of the security problem. Partly, there's increasing attacks against XML. And also, libxml2 has said "no" to security embargoes altogether. [0] They might well consider there to be 0-days waiting in XSLT. [0] https://news.ycombinator.com/item?id=44381093 | |
| ▲ | MrJohz a day ago | parent | prev | next [-] | | I think the big difference there is that browsers are only responsible for Javascript, which is a big general purpose solution that solves a lot of problems and not just templating/styling XML. Everything else either happens server-side (build steps and webpack) or is userland code that lives inside the sandbox. So there's one task for browsers to do (make a fast and secure Javascript sandbox), and if that works that developers can do whatever they want. Whereas XSLT is not a general purpose tool in the same way, and so needs to be maintained in addition to Javascript and anything else that exists. If course XSLT can also be used server-side (which is probably a good idea if you want access to the latest features and not some ancient, frozen version of the spec), but browsers aren't the reason that that didn't take off. My guess there is that it's just not an intuitive way of manipulating and templating data in comparison to more traditional HTML templating libraries. | |
| ▲ | AgentME 2 days ago | parent | prev | next [-] | | React supports rendering to HTML ahead of time (SSR) which doesn't need any client-side javascript, and this is a prominent feature of most frameworks using React. This feature of React was one of its major innovations over many other front-end frameworks of the time. | | |
| ▲ | degamad a day ago | parent [-] | | > React supports rendering to HTML ahead of time (SSR)... So does XSLT? | | |
| ▲ | throwaway290 a day ago | parent [-] | | Literally not one person said XSLT can't do it. But in case you missed it somebody did said React can't do it and so XSLT is better. > build step with React and webpack and javascript absolutely required on the client-side This was a false statement. both XSLT and React can be used for this except React can additionally do a bunch of other stuff that does use JS and that XSLT can't do. |
|
| |
| ▲ | bawolff a day ago | parent | prev [-] | | I don't think react is comparable. React's main thinh is client side reactivity, something that xslt doesn't offer. A closer comparison would be a templating engine that does statuc conversion to html. |
|
|
| ▲ | notpushkin 2 days ago | parent | prev | next [-] |
| Yeah, I think that was what prompted this submission. All this has also reignited my idea for a compile-to-XSLT templating language, too – maybe I’ll get to it finally this time; definitely if XSLT 3.0 gets into web standards: https://github.com/whatwg/html/issues/11578, https://news.ycombinator.com/item?id=44987552 Also, I’ve put together a simple XSLT playgroung a while ago! https://xsltbin.ale.sh/ |
| |
|
| ▲ | SnuffBox 2 days ago | parent | prev | next [-] |
| I find it bizarre that Google can just ask for a feature to be removed from standard and nobody bats an eye. |
| |
| ▲ | johncolanduoni 2 days ago | parent | next [-] | | To be fair, some things should be legitimately considered to be removed from the standard. O.G. XHTML basically mandated that you accept XML logic bombs and we got over that. Also, while this is certainly Google throwing their weight around, I don’t think they are doing it for monetary advantage. I’m not sure how removing XSLT burnishes their ad empire the way things like nerfing ManifestV3 have. I think their stated reasons - that libxslt is a security disaster zone for an obscure 90s-era feature - is earnest even if its not actually in the broader web’s best interests. Now that Safari is publicly on board to go second, I suspect it’s an inevitability. | | |
| ▲ | Mikhail_Edoshin a day ago | parent [-] | | XML "logic bombs" happens when the parser expand entities eagerly. If a parser does that one can easily assemble an enormous entity that will eat up all the memory. But a more sophisticated parser won't expand entities right away and thus can merely reject oversized ones. It is really a minor issue. | | |
| ▲ | johncolanduoni 18 hours ago | parent [-] | | There were other esoteric XML logic bomb inducing features is my recollection from all the stuff you used to have to change on the default XML Java parsers, but this was like 20 years ago so I may be misremembering. | | |
| ▲ | Mikhail_Edoshin 8 hours ago | parent [-] | | I myself only remember the possible misuse of disk/URL reading features. These were indeed features and were added by design, but, of course, enabling them in non-trusted input could lead to all sorts of disasters. |
|
|
| |
| ▲ | notpushkin 2 days ago | parent | prev | next [-] | | If I understand correctly, Mozilla and Apple don’t really want to support it either. And the reason for that is, the spec is still at XSLT 1.0, which is super old, and current implementations are effectively abandonware. Catch-22? | | |
| ▲ | johncolanduoni 2 days ago | parent | next [-] | | I believe the spec is at XSLT 3.0 but no browser actually implemented past XSLT 1.0 (not 100% sure - almost nobody cared about this feature last month so hard to find good docs on support). HTML5 and C++ are cut from the same cloth - massive and no reference implementation so full of features that have been “standard” for 10 years but never implemented by anyone. | | |
| ▲ | notpushkin 2 days ago | parent | next [-] | | Yeah, sorry, the XSLT spec is at 3.0 right now of course, but the browsers don’t implement it, and the WHATWG HTML Living Standard only mentions XSLT 1.0. | |
| ▲ | arccy 2 days ago | parent | prev [-] | | even outside of browsers barely anything supports XSLT newer than 1.0 |
| |
| ▲ | ekianjo 2 days ago | parent | prev [-] | | The spec is at XLST 3 right now. | | |
| |
| ▲ | esrauch 2 days ago | parent | prev | next [-] | | It doesn't seem weird at all to me: standard is essentially the consensus of the major browser vendors; a spec which all of Chrome, Safari and Edge don't implement is really just a hypothetical. The origin story of whatwg is that Apple, Mozilla and Opera decided that W3C wasn't making specs that they wanted to implement, so they created a new working group to make them. | |
| ▲ | chrismorgan 2 days ago | parent | prev | next [-] | | > nobody bats an eye I’ve seen a lot of eye-batting about this. Although Google, Mozilla and Apple are all in favour of removing it, there’s been a lot of backlash from developers. | | |
| ▲ | johncolanduoni 2 days ago | parent [-] | | Most of whom had never heard of XSLT before today - some were likely born after it had faded into obscurity. I don’t blame people for hating Google for whatever reason, but this is a weird way to try to stick it to them. | | |
| ▲ | sunaookami a day ago | parent | next [-] | | XSLT is widely used, for example by the US congress: https://simonwillison.net/2025/Aug/19/xslt/ | | |
| ▲ | lucumo a day ago | parent [-] | | Neither you nor the blog posts author had heard of that before that ridiculous GitHub issue from yesterday. You're all using the exact same link to the exact same page. This is intellectual dishonesty from you, the blog post author and the issue reporter. Anyone who has read the response to the reporter knows that this is a cherry-picked alternative format. The normal format is an HTML5 page. Search engines just return that instead, so the only way to have found this page is by clicking through that. | | |
| ▲ | sunaookami a day ago | parent [-] | | So "it doesn't matter because other people already posted this example"? | | |
| ▲ | johncolanduoni 18 hours ago | parent | next [-] | | I think their point was that for everything the US congress makes available through client-rendered XSLT, they already also do the transformation on their side and serve the HTML under another page. Which I think is part of Google’s point - you can just compile the XSLT offline once (or during your release process) and provide the same experience without rewriting anything. | |
| ▲ | lucumo a day ago | parent | prev [-] | | Is your intellectual dishonesty professional, or just a hobby? | | |
|
|
| |
| ▲ | ndriscoll a day ago | parent | prev [-] | | More likely the people complaining are those who use it. I've been using it as the sane way to template my personal stuff for ~20 years. It works very well for "hand written" sites. I'm also not trying to be a top site or even visible to the wider world; my audience is my friends and family members. So to me it's a clear "that's not an important use case for the web now" signal. |
|
| |
| ▲ | TiredOfLife a day ago | parent | prev | next [-] | | Mozilla asked for removal. Google just filled the paperwork | |
| ▲ | ekianjo 2 days ago | parent | prev [-] | | Even "champion of the web" Mozilla is on board. Tells you exactly what you need to know. |
|
|
| ▲ | kome 2 days ago | parent | prev [-] |
| so it's time to use XSLT more |
