As of the next version of Chrome, XSLT will be gated behind a flag.
Google have also asked for it to be removed from the standard [0].
replies(5):
I've been working on a little demo for how to avoid copy-pasting header/footer boilerplate on a simple static webpage. My goal is to approximate the experience of Jekyll/Hugo but eliminate the need for a build step before publishing. This demo shows how to get basic templating features with XSL so you could write a blog post which looks like
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="/template.xsl"?>
<page>
<title>My Article</title>
<content>
some content
<ul>
<li>hello</li>
<li>hello</li>
</ul>
</content>
</page>
- no build step (no need to setup Jekyll on the client or configure Github/Gitlab actions)
- works on any webserver (e.g. as opposed to server-side includes, actions)
- normal looking URLs (e.g. `example.com/foobar` as opposed to `example.com/#page=foobar`)
[0]: https://news.ycombinator.com/item?id=44952185
See also: grug-brain XSLT https://news.ycombinator.com/item?id=44393817
Google have also asked for it to be removed from the standard [0].
Citation? That would greatly surprise me in its abruptness and severity (they only just started talking about it this month, and acknowledge it’s particularly risky for enterprise) and https://chromestatus.com/feature/4709671889534976 gives no such indication.
panos: next item, removing XSLT. There are usage numbers.
stephen: I have concerns. I kept this up to date historically for Chromium, and I don't trust the use counters based on my experience. Total usage might be higher.
dan: even if the data were accurate, not enough zeros for the usage to be low enough.
mason: is XSLT supported officially?
simon: supported
mason: maybe we could just mark it deprecated in the spec, to make the statement that we're not actively working on it.
brian: we could do that on MDN too. This would be the first time we have something baseline widely available that we've marked as removed.
dan: maybe we could offer helpful pointers to alternatives that are better, and why they're better.
panos: maybe a question for olli. But I like brian's suggestion to mark it in all the places.
dan: it won't go far unless developers know what to use instead.
brian: talk about it in those terms also. Would anyone want to come on the podcast and talk about it? I'm guessing people will have objections.
emilio: we have a history of security bugs, etc.
stephen: yeah that was a big deal
mason: yeah we get bugs about it and have to basically ignore them, which sucks
brian: people do use it and some like it
panos: put a pin in it, and talk with olli next time?
panos: next thing is file upload control rendering
[0] https://github.com/whatwg/html/issues/11146#issuecomment-275...
Did what? The GP asked for a citation for XSLT support going behind a flag in the next version of Chrome, but you forgot to add that. As best as I can tell, the GP is right and you're confused.
They were advocating for removing it. And it was specific. And is labelled by the Chromium report you mentioned as the cause.
It wasn't "this month".
Then another few months pass, and one of the agitators goes about formally proposing removing it, so that finally it isn’t just murmurings more or less behind closed doors, but out in public for the developers to clamour about. That’s where we are this month.
Add flag to disable XSLT: https://chromium-review.googlesource.com/c/chromium/src/+/68...
It's approved, I don't know which release it will be.
Additionally, quote from the GitHub discussion:
--- start quote ---
Q: why has Chrome already started working on removing the feature from the browser?
A: To explore the effects of removal. It's hard to tell what will break without being able to turn it off and see.
https://github.com/whatwg/html/issues/11582#issuecomment-320...
--- end quote ---
> Add flag to disable XSLT
Two very different things. OP is talking about XSLT support going behind a flag, you’re citing XSLT deprecation going behind a flag. The default state matters (and the default state is undeprecated)
It makes sense that the Chrome team would do what they’re doing, otherwise it’s very difficult for anyone to assess the impact of XSLT deprecation.
Literally from my link:
--- start quote ---
Add a feature flag to disable XSLT
This adds a feature flag that disables:
- XSLTProcessor
- XSLT Processing Instructions
--- end quote ---
“Deprecate” has a specific meaning, largely unrelated to actual removal (though depending on the convention it may be expected to lead to it after some time).