Intent to Deprecate and Remove XSLT
6 months ago
- #XSLT
- #Chromium
- #Security
- XSLT v1.0, standardized in 1999, is outdated and has been superseded by JavaScript-based technologies like JSON+React.
- Chromium uses the unmaintained libxslt library, which poses significant security risks due to memory safety vulnerabilities.
- Client-side XSLT usage is now niche, with low usage metrics (0.01%-0.1% for XSLTProcessor API, 0.001% for declarative XSL).
- Chromium plans to deprecate and remove XSLT, with a detailed timeline starting from M143 (deprecation) to M164 (complete removal).
- A polyfill is available to mitigate breakage, restoring functionality for ~75% of affected sites with a single-line fix.
- Security benefits of removing XSLT outweigh compatibility risks, as it eliminates a vulnerable attack surface.
- Other browser engines (Gecko, WebKit) also support deprecating XSLT, though some web developers oppose the removal.
- The removal plan includes early warnings, origin trials, and enterprise policies to ease the transition.