Google says it’s removing XSLT to address security vulnerabilities. The underlying library that processes XSLT in Chrome (libxslt) is an aging C/C++ codebase with known memory safety issues. Chrome’s team argues that because only about 0.02% of page loads use XSLT, it’s not worth the maintenance burden.
It’s debatable whether Google, with all its resources, really needs to do this, especially given that 0.02% of all page loads is still quite a lot. But there are certainly times when it’s better to just delete seldom-used old code from your project to lower the maintenance burden and reduce the surface area for attacks.
Big tech has been straining the libxml2 dev who recently got annoyed with them. Instead of helping maintain the libraries they ship on billions of computers, Google is trying to reduce there use.
From the article:
It’s debatable whether Google, with all its resources, really needs to do this, especially given that 0.02% of all page loads is still quite a lot. But there are certainly times when it’s better to just delete seldom-used old code from your project to lower the maintenance burden and reduce the surface area for attacks.
Big tech has been straining the libxml2 dev who recently got annoyed with them. Instead of helping maintain the libraries they ship on billions of computers, Google is trying to reduce there use.
https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-reports