The tangled web of XSLT browser support
The Extensible Stylesheet Language Transformations (XSLT) language is used by web browsers to style XML content to make it easily readable; XSLT is part of the HTML living standard that is maintained by the Web Hypertext Application Technology Working Group (WHATWG). Only a small fraction of web sites serve content that requires web browsers to support XSLT, in part because major browser implementations have neglected the technology over the past 25 years. Now, it seems, they would like to rid themselves of it entirely. A plan to disable XSLT in Blink (Chrome's rendering engine) and a pull request by a Google Chrome developer to remove mentions of the specification from the HTML standard have been met with opposition, but arguments in favor of XSLT have proven ineffective.
What is XSLT?
While XML documents are suitable for consumption by computers, they are verbose and not particularly readable by humans. XSLT was developed as a language for transforming XML documents into other formats such as HTML, plain text, or other XML formats. When an XML document is served to a web browser with an XSL stylesheet, the browser can render the document into something more suitable for the user to read. For example, the US Congress web site serves legislation as XML with an XSL stylesheet, such as this bill from 2021.
All of the major web browsers (Chrome, Firefox, Safari, etc.) support client-side XSLT rendering, but they only support the 1.0 version that was finalized in November 1999. XSLT development has continued; the current 3.0 version of the standard was finalized in 2017, but the major browser vendors have shown little interest in keeping up with XSLT developments in this century.
Chrome and Safari use libxslt, while Firefox uses the TransforMiiX XSLT processor. LWN covered some of the history of libxslt in June; that implementation has suffered from a lack of resources for quite some time, and the longtime maintainer, Nick Wellnhofer, announced he was stepping down in June. Iván Chavero has offered to take over the project, and was vouched for by Federico Mena Quintero. He will, however, need to get up to speed with XSLT and the code base for the project.
It is worth noting that client-side rendering is not the only option for using XSLT to render XML as HTML for viewing in a web browser. There are a number of open-source projects, such as Apache Xalan and Saxon, that offer server-side processing for XSLT.
Google has sought to drop support for XSLT a few times. In 2013,
Adam Barth notified
the Blink development list of an intent to deprecate and
remove XSLT from the browser engine. Barth argued that the inclusion
of XSLT added "more than its share of complexity, which leads to
security vulnerabilities
", and that dropping XSLT support would
help to remove Blink's dependency on libxml. Ultimately, the proposal
was put
on hold.
Dominic Cooney tried
to deprecate and remove XSLT from Chrome in 2015. After much
discussion, Rick Byers replied
that Chrome's API owners had met and agreed that they would like to
eliminate XSLT from Blink eventually. However, prior
experience had taught the team that it was important to do so
carefully and with a plan to "minimize the user and developer
pain
". Byers provided a list of components that such a plan would
need to have, including real-world case studies for replacements and a
deprecation timeline of up to two years. It is unclear if Cooney
submitted such a plan, but a decade later Chrome still ships with
libxslt and supports XSLT 1.0.
Call for removal
Removing XSLT from the HTML specification was on the agenda for
WHATWG's meeting in March. During the discussion Stephen Chenney
expressed concern that usage of XSLT was higher than the use counters
indicated, and Dan Clark said "even if the data were accurate, not
enough zeroes for the usage to be low enough
" for removal
(minutes
here). Freed suggested during the meeting that "we could just
mark it deprecated in the spec, to make the statement that we're not
actively working on it
". Brian Kardell said that it would be
possible to remove XSLT from the MDN web
documentation as well. "This would be the first time we have
something baseline widely available that we've marked as removed
",
he noted.
After a few more comments proposing alternatives for
developers, it was decided to punt the topic to the next meeting,
which was then canceled. The topic was not on the WHATWG meeting
agenda again until August, after Mason Freed posted an issue to discuss
removing XSLT. Freed said that browser implementations of XSLT were
frozen in time with the 1.0 standard, and that the underlying
libraries for XSLT, such as libxslt, are aging code bases that are
"notoriously susceptible to memory safety vulnerabilities
".
He also claimed that there had been a significant decline in client-side usage over the years; he later followed up with a calculation that only one out of 7,891 page loads involves client-side XSLT. The topic of dropping XSLT was skipped during the meeting on August 8, because Freed was absent. Despite that, Freed opened the pull request on August 14 to remove XSLT from the HTML specification.
Anne van Kesteren said
that Apple's WebKit team "is cautiously supportive
" of removing XSLT, but would likely wait
for one implementation to fully remove support. Olli Pettay indicated
that Mozilla was also supportive, but cautioned that browsers should add console
warnings about the deprecation sooner rather than later. Freed posted
links to a WebAssembly (Wasm) polyfill that would process XSLT in the
browser without relying on native browser features, to demonstrate
that it was possible to move the functionality out of the browser
while retaining support.
Discussion
While browser makers were supportive of Freed's push to get rid of
XSLT, many others from outside the browser-making group weighed in
with questions and objections. For example, Alberto Betella agreed
that the security concerns were real, but argued that there is a
"real-world and modern use case from the podcasting industry
"
to use XSLT to beautify raw podcast feeds:
RSS feeds remain one of the last open and decentralized distribution mechanisms on the modern web. Platforms like Spotify and YouTube are increasingly moving toward exclusivity and closed podcasting ecosystems. Supporting browser-side XSLT helps keep RSS accessible and human-friendly, especially for independent creators. This ties in directly with the ethos of openness that underpins the web itself, and also the work of groups like WHATWG.
Freed replied that there was no attempt to change RSS or XML, just the XSLT that is used to make the RSS feeds readable if users click on a link that loads an XML file. He wondered if there might be a way to add a processing instruction to the XML to redirect to an HTML page when the client is a browser.
Some favored the proposal to remove XSLT; Tab Atkins Jr. thought
it was fine to remove XSLT from browsers, and said it should be
"relatively trivial
" to generate HTML from XML on the
server:
I don't think there's a strong "Open Web" argument to be made here. XML data files being able to be reformatted into HTML is somewhat of an accident of history; we don't have similar functionality for any other data type, despite, for example, JSON files being vastly more common on the web than XML.
But Timo Tijhof replied
that early web browsers had built-in feed browsers and native previews
of when users would navigate to RSS feeds, "akin to PDF, JSON, and
video viewers in browsers today
". Now, there is a missing link in
the path between clicking an RSS feed link and opening it in a feed
reader. There is a reasonable argument to be made that XSLT is not
good enough, he said, "and that we need something even easier to
adopt
".
Aram Zucker-Scharff, said
that getting rid of the capability to visually render RSS feeds would
mean "signing a death warrant for RSS feeds as an open
technology
". He warned that site owners would have to alter
pages to link to specific platforms "that enclose and intermediate and
disappear the open RSS feed
", and echoed Betella's
concerns that large companies had already pushed to "enclose
"
RSS within specialized readers, especially for podcasts.
He said that the "exodus from Twitter
" had caused
renewed experimentation with RSS, XML, and XSLT. Any solution that
does away with native rendering of XML in the browser "is
inevitably bad for the web platform's health
".
The XSLT implementations are "riddled with CVEs
" only because of
neglect, Dorian Taylor said. Browser vendors have kept XSLT 1.0
parsers around, but have put as little effort into maintaining them as
possible. He proposed that XSLT should be rehabilitated rather than scrapped
and asked, "is there truly no appetite for a standard
language for transforming markup, a thing we all have to do, on every
project, all the time?
"
Many other people weighed in to voice support for XSLT in the
browser. Freed replied
that it was clear that talk of removing XSLT struck a nerve, but he
reiterated that the implementations shipped today were old, not well
maintained, not widely used, and "a serious risk to all
users, not just those who actively use XSLT
".
He also acknowledged posts asking for improvement and renewal
rather than removal, but argued XSLT was simply a technology that
"didn't stand the test of time for client side usage in web
browsers
". (Emphasis in the original.) The Chrome team
was "strongly convinced that this would not be the right way to
spend our limited resources
".
Shutdown
Taylor pointed
out that Google is "literally a 2.5-trillion-dollar
company
" and that it was the browser vendors that chose not to
keep up with XSLT. That comment was later hidden by moderators as
off-topic, though it can still be viewed if a user is logged in to
GitHub. A number of other comments were hidden as off-topic, and the thread
was eventually locked to outside comments.
Freed left a final comment on August 19, in which he said that he cares about the health of the overall web:
I want to minimize the pain folks are feeling about this discussion of XSLT removal. But it's important to remember that ordinary users that fall victim to security vulnerabilities also feel pain, and I'm trying to minimize that too. I proposed some solutions to the concrete use cases I heard in this issue. If there are still gaps, I'd like to work on closing them. It's too bad we can't have that discussion here - I'm guessing we can't re-open this issue for outside comments, due to the overall tone of past comments. Either way, from now on, I'll only be responding to technical conversations, and ignoring the rest, for my own sanity.
The pull request thread was also locked to WHATWG collaborators as "too heated". Shortly after that Domenic Denicola, another member of the Chrome team, commented to remind Freed to update the XSLT section of the DOM living standard as well.
Stage one
The WHATWG has a series of stages
for a proposal to be merged into the HTML standard. Currently, Freed's
proposal is at stage one, the "incubation" stage, and looks to be
headed to the second stage, "iteration". According to WHATWG's
documentation, that would signify an expectation that a proposal will
be eventually merged into the standard. Usually stage two is
accompanied by "a prototype in at least one browser
engine
".
Barring a sudden reversal, the Chrome team looks poised to ship
that prototype before too long. The Chrome
Platform Status page for the "feature" to deprecate XSLT lists
2026 as the estimated shipping year, though many of the details for
the deprecation plan are still left blank. The page does note, in
something of an understatement, that "existing users of XSLT are
understandably negative on this removal
".
After a number of attempts to dump XSLT, it appears that the Chrome team is finally on its way to making that a reality. Whether the effects of that are as dramatic as the XSLT proponents have suggested remains to be seen; it does, however, seem like a loss for the open web overall.
Posted Aug 27, 2025 18:41 UTC (Wed)
by josh (subscriber, #17465)
[Link] (8 responses)
That makes no sense. The point of RSS is to read it in a feed reader, not a browser. If someone is looking directly at an RSS feed, it's probably not intentionally because they want to read the content. For most people I'd expect it to be a net improvement to render a direct RSS link as "This is an RSS feed, the title is XYZ, here's a set of feed readers you could read it in". *That* would bolster RSS adoption.
Posted Aug 27, 2025 19:22 UTC (Wed)
by ju3Ceemi (subscriber, #102464)
[Link] (1 responses)
I do not understand the overall issue, to be honest
If someone wants to format xml in all kinds of way and cannot/will not do that server side, plugins are a thing; Some exist to modify json and xml in prettier format, so this seems like a sane way to resolve the situation
Posted Aug 27, 2025 20:05 UTC (Wed)
by josh (subscriber, #17465)
[Link]
So, for instance, rendering helpful text for RSS feeds rather than raw XML, without requiring sites to do something different like server-side rendering, when they might not have any ability to run server-side anything.
Posted Aug 27, 2025 19:41 UTC (Wed)
by jzb (editor, #7867)
[Link] (5 responses)
If someone is looking directly at an RSS feed, it's probably not intentionally because they want to read the content. Right, that's kind of his point. Web browsers don't natively handle RSS feeds anymore, so if a site includes a button for their regular RSS feed (rather than a link to Spotify or Apple Podcasts, or Feedly for regular RSS) and the user clicks it they just get the raw XML. Or, currently in Firefox, raw XML with the "This XML file does not appear to have any style information associated with it. The document tree is shown below." message which is not particularly friendly for most users. With XSLT a site can provide something like this for an RSS feed: https://www.bennadel.com/rss, or this, which helpfully includes a little box at the top that explains what an RSS feed is and a link on how to use them. That's basically what you're describing to provide a "here's a set of feed readers" etc. I may be wrong, but I don't think it will easily be possible for people who run WordPress or other blogging software on shared hosting to do server-side XSLT processing. That's a lot of feeds that won't be shown correctly if client-side XSLT processing goes away. (As an aside, that's a lot of feeds that aren't even discoverable if the site owner doesn't provide an RSS link, and/or the user doesn't have an extension that discovers RSS feeds for their browser... I use the Want My RSS extension to discover feeds in Firefox...)
Posted Aug 27, 2025 20:03 UTC (Wed)
by josh (subscriber, #17465)
[Link] (2 responses)
Posted Aug 27, 2025 20:18 UTC (Wed)
by jzb (editor, #7867)
[Link] (1 responses)
That would be great - but they've all explicitly moved away from supporting RSS, so I'm not holding my breath that they'd re-implement any RSS support to phase out XSLT. Perhaps I'm being too pessimistic, though... It's never happened before, but maybe this time...
Posted Aug 28, 2025 15:44 UTC (Thu)
by iabervon (subscriber, #722)
[Link]
Posted Aug 27, 2025 20:47 UTC (Wed)
by archaic (subscriber, #111970)
[Link]
> https://www.bennadel.com/rss
Looks perfectly readable in raw curl output. Should curl make it prettier? I do not think so. The right app for the job. Browsers are not the right app for most jobs, though you wouldn't know that looking at all the jobs put on them.
Posted Aug 27, 2025 23:42 UTC (Wed)
by jkingweb (subscriber, #113039)
[Link]
Not that you aren't correct in general, but Vivaldi does have an integrated feed reader, and you can subscribe to a feed using a button on the feed's readable representation (I assume this is achieved with XSLT, but I haven't checked).
Posted Aug 27, 2025 19:39 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (9 responses)
You end up with a "web platform" that's HTML5 + CSS + JavaScript, where the JavaScript does the heavy lifting client side to take interesting inputs (as XML, JSON, or something else) and provide something the web platform can render.
Posted Aug 27, 2025 20:45 UTC (Wed)
by iq-0 (subscriber, #36655)
[Link] (6 responses)
If XSLT (especially newer versions) turn out to be popular it will start benefiting from optimized browser support. Should it turn out to be a dud then at least all browsers are able to represent all the documents and format that assumed it would be a success, keeping the open web access alive.
Posted Aug 28, 2025 8:43 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (5 responses)
The thing that I do want to see more of, and that XSLT was supposed to usher in (but didn't, for a variety of reasons) is a world where the data is separate to presentation. If that's data supplied as XML and transformed into a presentation form by XSLT, great. If it's supplied as JSON, or XML, or CBOR, and transformed into a presentation form by JavaScript code, that's also great.
Key for me, though, is that the data is supplied separately, and that I can, as a hacker type, use the presentation renderer to reverse-engineer the data format and reuse the data in ways the originator did not think of. It's also a nice side-benefit if the presentation layer (whether XSLT, or JavaScript) is highly cacheable, so that the data is small; I'd prefer to get the data in a single TCP packet each time it updates, rather than downloading 200 KiB of "echo" formatted HTML (or 200 KiB of XML for 100 bytes of new data, for that matter).
Posted Aug 28, 2025 16:25 UTC (Thu)
by wahern (subscriber, #37304)
[Link] (4 responses)
Now ask yourself, why is that? What's better technologically for a single outlet is not necessarily better for the health of the broader ecosystem. Technology shapes and channels how players interact. Once upon a time the FOSS world, or at least part of it, understood that. But we've all become utterly inured to centralization and walled gardens that few can even remember the previous era, of which RSS is a vestige. There's an alternative universe where Spotify is the singularly dominate player in podcasting, similar to YouTube and Instagram for video. Would that be a better universe?
Posted Aug 28, 2025 16:50 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (3 responses)
Rather, it's about money. Video and photo sharing centralised because, at the time, bandwidth prices were high compared to the sizes of files; the YouTube and Instagram gambles, (which paid off) were that if you could grow fast enough, you could get enough investment to allow you to stay ahead of the cost curve, up until bandwidth became cheap enough that they could cover their costs from their income.
Had the typical home user had an unlimited usage 100M symmetric connection back in 2004, with 10G being cheap in datacentres, we might well not have seen the centralisation we say, because it would have been cheap to host your video yourself, and therefore extending the podcast ecosystem to a videocast ecosystem would have been something people did.
Posted Aug 28, 2025 18:22 UTC (Thu)
by wahern (subscriber, #37304)
[Link] (2 responses)
Also, I'm admittedly biased because I really do like XSLT. I dislike XML, and dislike XSLT's XML syntax, but in terms of functionality and longevity, even prospectively (alternatives aplenty, but always ephemeral), there's nothing else like it. Saying that browsers don't need XSLT because we have JavaScript is like saying browsers don't need WebRTC or PushAPI because we have JavaScript, WASM, and HTTP 1.1. Sure, but that's beside the point. Even though XML is seemingly in its golden years, I wouldn't be surprised if it's still more ubiquitous in terms of breadth and depth of software support and data encapsulated than JSON. All the world isn't a Rest API. And manipulating XML is much nicer using XSLT & friends (XPath, XQuery, etc). And despite the WHATWG's best efforts, XML and HTML remain sufficiently alike that it strains credulity to suggest XSLT couldn't or shouldn't be a contender for HTML templating.
The most convincing argument against XSLT for me is the lack of well maintained libraries. So what's clearly necessary, if not sufficient, for XSLT to survive is the FOSS community stepping up to fill the vacuum--libxslt successfully revived (thankfully some people are already taking a stab at that), Saxon opening up more and seeing greater adoption, or some newcomer library/ies. Preferably all of the above.
Posted Aug 28, 2025 18:33 UTC (Thu)
by wahern (subscriber, #37304)
[Link]
Posted Aug 28, 2025 19:35 UTC (Thu)
by excors (subscriber, #95769)
[Link]
Following the zero-one-infinity rule, since podcasters have to support more than one platform they'll use a third-party hosting service who know how to publish to all the platforms at once (and how to handle listener stats for all those platforms to attract advertisers, etc), so the minor platforms can still hang on. But I think it's the duopoly of commercial platforms who have allowed the industry to take that shape.
Posted Aug 27, 2025 22:42 UTC (Wed)
by wahern (subscriber, #37304)
[Link] (1 responses)
Imagine if browsers couldn't display PDFs, either natively or by reliably being able to pass it off to a local viewer. PDF as a open document format would lose much of its value, and walled gardens would flourish even more. This dynamic is precisely why YouTube makes it extremely difficult, if not impossible, to directly pull a video. Making the content tightly bound to their viewing platform is integral to how they achieved and maintain their dominance. It would appear (at least based on the claims) that RSS, like SMTP, achieved escape velocity before the dominance of walled garden platforms squashed the ecosystem, but that dynamic largely rests on built-in XSLT support.
Posted Aug 28, 2025 8:32 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
I don't see any strong reason why the same couldn't happen with XSLT; people show cool tech demos outside the browser, using a JavaScript based viewer for their XML format (which is something that most of the usage of XSLT I've seen, bar the trick of making an RSS feed pretty, could do easily - they're currently serving an XML data file and XSLT file to generate a web page, they could serve a HTML5+JavaScript+CSS fileset and an XML data file).
The RSS use would need a bit more server-side assistance to serve the web page to browsers, and the RSS feed to RSS readers, but would at least be something you could prove works well, before asking browsers to integrate xslt.js.
Posted Aug 27, 2025 23:12 UTC (Wed)
by roc (subscriber, #30627)
[Link] (3 responses)
Of course, being technically horrible isn't the only thing that matters, but it partly explains why XSLT isn't much used and why browser vendors aren't more enthusiastic.
Posted Aug 27, 2025 23:46 UTC (Wed)
by basscomm (subscriber, #125799)
[Link]
Posted Aug 28, 2025 1:22 UTC (Thu)
by raven667 (subscriber, #5198)
[Link] (1 responses)
This whole argument is difficult to articulate because it's an emotional, vision and alignment discussion and not primarily a technical one
Posted Aug 28, 2025 7:19 UTC (Thu)
by tux3 (subscriber, #101245)
[Link]
I usually have little trouble getting raw data in the modern JSON/Javascript Zeitgeist. And it'd be writing very similar Python scrapping snippets in an XML/Javascript or XML/XSLT world
Either way if I'm going to be doing anything interesting with the data, it won't be by manually copying bits of data from my browser's debug view, I'll be calling some bespoke API. If anything, the olden XML APIs I'm forced to use sometimes have this distinctive flavor of over abstraction and unnecessary complexity.
Data's data. The presentation layer doesn't really change access, in my experience
Posted Aug 27, 2025 23:55 UTC (Wed)
by ErikF (subscriber, #118131)
[Link]
Allow me to pay my respects for XSLT's ignored cousin, XSLT-FO. You never really were given a chance to shine: I tried using you to be able to make both Web pages, e-mails and documents. You gave it a valiant effort but it didn't ever seem to work properly.
Posted Aug 28, 2025 9:17 UTC (Thu)
by dottedmag (subscriber, #18590)
[Link]
With 25 years of hindsight, it's obvious that XSLT is not a smashing success. A technology like that would not pass the bar for being added to browsers today. Good riddance!
Posted Aug 28, 2025 11:48 UTC (Thu)
by pabs (subscriber, #43278)
[Link]
RSS
RSS
RSS
RSS
RSS
RSS
RSS
RSS
RSS
It looks to me like the direction of travel is JavaScript for all conversions of input data to renderable HTML; there appear to be pure JavaScript XSLT implementations, and thus this ends up being like PDF.js, just another way to convert from a non-HTML source to something the browser can render, using JavaScript to do all the hard work.
Direction of travel seems to be JavaScript for all of this sort of thing
Direction of travel seems to be JavaScript for all of this sort of thing
I, in general, don't really care how you convert the raw data to something pretty for the user to view. JavaScript and XSLT both work for me here, with JavaScript having more flexibility.
Separating data and mark-up - JavaScript versus XSLT
Separating data and mark-up - JavaScript versus XSLT
I don't think any of that is particularly related to XSLT, however. One of the reasons XSLT is so lightly used is that nobody bothered with it back in the day; even now, it's common for RSS feeds to not also have an associated XSLT transform to give you a nice web page if you open the RSS feed directly.
Separating data and mark-up - JavaScript versus XSLT
Separating data and mark-up - JavaScript versus XSLT
Separating data and mark-up - JavaScript versus XSLT
Separating data and mark-up - JavaScript versus XSLT
Direction of travel seems to be JavaScript for all of this sort of thing
PDF.js was prototyped outside the browser, and integrated when it was clear that it was useful (to replace PDF plugins, admittedly).
Direction of travel seems to be JavaScript for all of this sort of thing
XSLT is kinda of horrible
XSLT is kinda of horrible
XSLT is kinda of horrible
No REST for the wicked
Sad if it happens
Its time is gone
Adopt XSLT 3.0