← Back to context

Comment by righthand

8 hours ago

Destroying the open web instead of advocating to fix one of the better underutilized browser technologies for a more Profitable Google.

I will not forget the name Mason Freed, destroyer of open collaborative technology.

35 comments

righthand

Reply
tptacek  8 hours ago

Didn't this effort start with Mozilla and not Google? I think you will in fact forget the name Mason Freed, just like most of us forgot about XSLT.

  • indolering  2 hours ago

    It started with Mozilla, Apple, and Opera jumping ship and forming WHATWG. That stopped new XML related technologies from being adopted in browsers twenty years ago. Google is just closing the casket and burying the body.

  • simoncion  8 hours ago

    > Didn't this effort start with Mozilla and not Google?

    Maybe round one of it like ten years ago did? From what I understand, it's a Google employee who opened the "Hey, I want to get rid of this and have no plans to provide a zero-effort-for-users replacement." Github Issue a few months back.

  • righthand  2 hours ago

    Why would I forget about XSLT a really good technology pushed to the wayside by bad faith actors? Why would I forget Mason Freed? A person dedicating themselves to ruining perfectly good technology that needs a little love.

    Do you have some sort of exclusive short term memory or something where you can’t remember someone’s name? Bizarre reply. Other people may have had a similarly lazy idea, but Mason is the one pushing and leading the charge.

    It seems maybe you want me to blame this on Google as a whole but that would mean bypassing blame and giving into their ridiculous bs.

dfabulich  8 hours ago

Blame Apple and Mozilla, too, then. They all agreed to remove it.

They all agreed because XSLT is extremely unpopular and worse than JS in every way. Performance/bloat? Worse. Security? MUCH worse. Language design? Unimaginably worse.

EDIT: I wrote thousands of lines of XSLT circa 2005. I'm grateful that I'll never do that again.

  • stickfigure  8 hours ago

    This is only repeated by people who have never used it.

    XSLT is still a great way of easily transforming xml-like documents. It's orders of magnitude more concise than transforming using Javascript or other general programming languages. And people are actively re-inventing XSLT for JSON (see `jq`).

    • garethrowlands  6 hours ago

      I used to use XSLT a lot, though it was a while ago.

      You can use Javascript to get the same effect and, indeed, write your transforms in much the same style as XSLT. Javascript has xpath (still). You have a choice of template language but JSX is common and convenient. A function for applying XSLT-style matching rules for an XSLT push style of transform is only a few lines of code.

      Do you have a particular example where you think Javascript might be more verbose than XSLT?

    • mschuster91  8 hours ago

      I actually do have to work with raw XML and XSLTs every once in a while for a java-based CMS and holy hell, it's nasty.

      Java in general... Maven, trying to implement extremely simple things in Gradle (e.g. only execute a specific Thing as part of the pipeline when certain conditions are met) is an utter headache to do in the pom.xml because XML is not a programming language!

      5 replies →

  • dfox  8 hours ago

    > Security? MUCH worse.

    Comparing single-purpose declarative language that is not even really turing-complete with all the ugly hacks needed to make DOM/JS reasonably secure does not make any sense.

    Exactly what you can abuse in XSLT (without non-standard extensions) in order to do anything security relevant? (DoS by infinite recursion or memory exhaustion does not count, you can do the same in JS...)

    • dfabulich  5 hours ago

      If you would RTFA, they're removing XSLT specifically for security reasons. They provide the following links:

      https://www.offensivecon.org/speakers/2025/ivan-fratric.html

      > Although XSLT in web browsers has been a known attack surface for some time, there are still plenty of bugs to be found in it, when viewing it through the lens of modern vulnerability discovery techniques. In this presentation, we will talk about how we found multiple vulnerabilities in XSLT implementations across all major web browsers. We will showcase vulnerabilities that remained undiscovered for 20+ years, difficult to fix bug classes with many variants as well as instances of less well-known bug classes that break memory safety in unexpected ways. We will show a working exploit against at least one web browser using these bugs.

      https://nvd.nist.gov/vuln/detail/CVE-2025-7425

      https://nvd.nist.gov/vuln/detail/CVE-2022-22834

      (And, for the record, XSL is Turing-complete. It has xsl:variable, xsl:if, xsl:for-each, and xsl:apply-template function calls.)

  • cxr  7 hours ago

    > They all agreed to remove it.

    All those people suck, too.

    Were you counting on a different response?

    > XSLT is extremely unpopular and worse than JS in every way

    This isn't a quorum of folks torpedoing a proposed standard. This is a decades-old stable spec and an established part of the Web platform, and welching on their end of the deal will break things, contra "Don't break the Web".

  • righthand  8 hours ago

    They did not agree to remove it. This is a spun lie from the public posts I can see. They agreed to explore removing it but preferred to keep it for good reasons.

    Only Google is pushing forward and twisting that message.

    • JimDabell  7 hours ago

      > They did not agree to remove it. This is a spun lie from the public posts I can see. They agreed to explore removing it but preferred to keep it for good reasons.

      Mozilla:

      > Our position is that it would be good for the long-term health of the web platform and good for user security to remove XSLT, and we support Chromium's effort to find out if it would be web compatible to remove support.

      https://github.com/mozilla/standards-positions/issues/1287#i...

      WebKit:

      > WebKit is cautiously supportive. We'd probably wait for one implementation to fully remove support, though if there's a known list of origins that participate in a reverse origin trial we could perhaps participate sooner.

      https://github.com/whatwg/html/issues/11523#issuecomment-314...

      Describing either of those as “they preferred to keep it” is blatantly untrue.

      1 reply →

rvz  7 hours ago

> Destroying the open web instead of advocating to fix one of the better underutilized browser technologies for a more Profitable Google.

Google, Mozilla and Apple do not care if it doesn't make them money, unless you want to pay them billions to keep that feature?

> I will not forget the name Mason Freed, destroyer of open collaborative technology.

This is quite petty.