Thank you! I added the relevant information on ChromeStatus. *--* *Cheers,* *Michał*
On Tue, May 13, 2025 at 7:39 AM Domenic Denicola <dome...@chromium.org> wrote: > LGTM1, but please update the following bits on ChromeStatus: > > - Estimated milestones. This is important for ensuring developers have > an accurate picture of when changes like this are rolling out. Especially > if this will be a gradual rollout of some sort, or has previously been > tested in a gradual manner, that information needs to be captured. > - Interop and Compat impact: this definitely has compat impact. Please > summarize how this can change the behavior of web pages, and why we believe > it's safe. (You've done that elsewhere, but recording it in ChromeStatus is > helpful as that's a source of data we consult looking backward.) > > > > On Tue, May 13, 2025 at 5:17 AM 'Michał Bentkowski' via blink-dev < > blink-dev@chromium.org> wrote: > >> >> Out of curiosity, which platforms will this not be supported on, and why? >> >> >> Sorry, I put the wrong value there -- it will be supported on all >> platforms. >> >> >> Given that Firefox has implemented this (Nightly-only), as well as Safari >> (not landed yet?), do we know why >> https://github.com/whatwg/html/pull/6362 hasn't been merged yet? >> >> >> Anne left a comment: "We should probably hold off until Chromium has >> actually deployed this?" so I think that's the reason. >> >> >> Thanks, >> Alison >> >> On Friday, May 9, 2025 at 2:18:27 AM UTC-7 Chromestatus wrote: >> >> Contact emails secur...@google.com >> >> Explainer https://github.com/whatwg/html/issues/6235 >> >> Specification https://github.com/whatwg/html/issues/6235 >> >> Summary >> >> Escape "<" and ">" in values of attributes on serialization. This >> mitigates the risk of mutation XSS attacks, which occur when value of an >> attribute is interpreted as a start tag token after being serialized and >> re-parsed. >> >> >> Blink component Blink>HTML>Parser >> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EHTML%3EParser%22> >> >> TAG review Details are shared on >> https://github.com/whatwg/html/issues/6235. The change was tested with >> Finch, ending on 10% of Stable. No web compat risks were observed. The only >> signal we got was that it broke a unit/e2e test which checked the exact >> content of HTML generated by Chromium. >> >> TAG review status Not applicable >> >> Risks >> >> >> Interoperability and Compatibility >> >> None >> >> >> *Gecko*: Positive ( >> https://github.com/mozilla/standards-positions/issues/1209) >> >> *WebKit*: Positive (https://github.com/WebKit/WebKit/pull/44842) >> >> *Web developers*: No signals >> >> *Other signals*: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Debuggability >> >> None >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? No >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? Yes >> >> Flag name on about://flags enable-experimental-web-platform-features >> >> Finch feature name EscapeLtGtInAttributes >> >> Rollout plan Will ship enabled for all users >> >> Requires code in //chrome? False >> >> Estimated milestones >> >> No milestones specified >> >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> None >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/6264983847174144?gate=5114900925644800 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1cd243fc-6071-46d5-8178-132fcd909b10n%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1cd243fc-6071-46d5-8178-132fcd909b10n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAHamrfXTQ4390_BWE0mcyCsaiOGXN_eEddCBbGfnN3RCcXnB9A%40mail.gmail.com.
