Chromium Proposes Deprecation and Removal of XSLT from Web Browsers Due to Security Risks
By
CharlesW
Hot, fresh, and worth queueing round the block for.
Summary
Chromium (Google Chrome's browser engine) proposes to deprecate and remove XSLT (Extensible Stylesheet Language Transformations) from web browsers due to security risks and low usage. XSLT v1.0, standardized in 1999, has been largely superseded by JavaScript-based technologies like React and JSON. The aging libxslt library used for XSLT processing has security vulnerabilities and was unmaintained for months in 2025. While usage is low (0.01-0.1% of page loads), the security risks outweigh the benefits. The proposal has broad browser engine support (WHATWG, Gecko, WebKit) but negative feedback from existing XSLT users. A phased removal plan spans from October 2025 to August 2027, with polyfills and enterprise policies to ease migration.
Key quotes
· 5 pulledXSLT v1.0, which all browsers adhere to, was standardized in 1999. In the meantime, XSLT has evolved to v2.0 and v3.0, adding features, and growing apart from the old version frozen into browsers.
Libxslt is a complex, aging C codebase of the type notoriously susceptible to memory safety vulnerabilities like buffer overflows, which can lead to arbitrary code execution.
Security risks for all users outweigh the very small usage of this feature on the open web.
Usage of the JS XSLTProcessor API is fairly volatile, registering somewhere between 0.01% and 0.1% of page loads, averaging around 0.05% over time.
Existing users of XSLT are understandably negative on this removal, and have been very vocal about it on the standards issue and elsewhere.
You might also wanna read
Web Standards Debate: Considering XSLT 3.0 Adoption in HTML Specification
This article discusses the ongoing debate within the web standards community about whether to adopt XSLT 3.0 in the HTML Standard. It follow
github.com·9mo ago
The human.json Protocol: A System for Verifying Human Authorship on the Web
The human.json protocol is a lightweight system that allows humans to assert authorship of their website content and vouch for the humanity
codeberg.org·2mo ago
Firefox 148 Introduces Standardized Sanitizer API for Enhanced XSS Protection
Firefox 148 introduces the standardized Sanitizer API as a security enhancement to protect against cross-site scripting (XSS) attacks. The n
Challenges in Implementing WebDAV/CalDAV Standards for Homechart
The article discusses the challenges of implementing WebDAV/CalDAV clients and servers despite the standards being well-documented and estab
candid.dev·4mo ago
Google Reverses JPEG XL Deprecation in Chromium Amid Ongoing Format Competition with AVIF
The article discusses Google's reversal on JPEG XL support in Chromium, examining the ongoing browser format wars between JPEG XL and Google
tonisagrista.com·6mo agoGoogle's XSLT Deprecation Criticized as Attack on Open Web Standards
The article criticizes Google's decision to deprecate XSLT support in its products, arguing this represents an attack on the open web. The a