Comment by comex

8 days ago

Why can’t things remain backwards compatible forever? In the 35 years that the Web has existed, browsers have come pretty damn close to meeting that standard. The one huge exception is the removal of plugin support around 2015, and the concomitant death of Flash and Java applets. There were also some major browser-specific APIs that got killed off, like ActiveX and NaCl. But when it comes to standardized, browser-native functionality… very little has ever been removed. I would prefer it if I could say the same thing in another 35 years.

2 comments

comex

Reply
JimDabell  8 days ago

> Why can’t things remain backwards compatible forever?

I already said why:

> The complexity and attack surface area isn’t justified by its utility, so it’s hard to make the case for keeping it.

If you read the GitHub issue that this submission links to, the issue points out security vulnerabilities and links to:

> Although XSLT in web browsers has been a known attack surface for some time, there are still plenty of bugs to be found in it, when viewing it through the lens of modern vulnerability discovery techniques. In this presentation, we will talk about how we found multiple vulnerabilities in XSLT implementations across all major web browsers. We will showcase vulnerabilities that remained undiscovered for 20+ years, difficult to fix bug classes with many variants as well as instances of less well-known bug classes that break memory safety in unexpected ways. We will show a working exploit against at least one web browser using these bugs.

https://www.offensivecon.org/speakers/2025/ivan-fratric.html