@securitymb Good point! Filed https://github.com/whatwg/html/issues/11397

@securitymb Right. But script and style are actual SVG elements so those are likely most risky compat-wise.

Elements or character references or CDATA sections, or even comments.

@asuh @keithamus @bramus can you expand on why widows & orphans? Do you want them for print or multicol?

If you use "AI agents" (LLMs calling tools in a loop) you need to be aware of the Lethal Trifecta

Any time you combine access to private data, exposure to untrusted content and the ability to externally communicate an attacker can trick the system into stealing your data https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

@securitymb

> While there’s currently no proposal that addresses this issue, the Google Information Security Engineering team is planning to explore options to fix this vector as well.

Let's do it. I've written about improving consistency in parsing before: https://x.com/zcorpan/status/1339517144053243906

Although making SVG style and script tokenize like HTML doesn't necessarily solve mXSS, it seems like an improvement. Removing the scripting enabled check for noscript is another, but it would break the feature.

Today we published two blog posts about an HTML specification change that makes mutation XSS harder to exploit! Long story short: `<` and `>` are now escaped in attributes.

* Blog post about security rationale behind this change: https://bughunters.google.com/blog/5038742869770240/escaping-and-in-attributes-how-it-helps-protect-against-mutation-xss
* Blog post about how it affects web developers: https://developer.chrome.com/blog/escape-attributes?hl=en

Remember this tiny change to the HTML spec?

It just prevented a critical bug in an application we are currently testing.

https://github.com/whatwg/html/commit/e21bd3b4a94bfdbc23d863128e0b207be9821a0f

❤️ cc @freddy @securitymb

@cure53 @freddy @securitymb Yay!

@bkardell @Schepp @timsev @Kilian @keithamus there was pushback to implement the a11y mapping in 2014, see https://www.w3.org/Bugs/Public/show_bug.cgi?id=25003

In 2019, Firefox implemented (in Nightly only) the outline algorithm and found that it regressed usability for various existing content:
https://github.com/whatwg/html/pull/3499#issuecomment-544876110
https://bugzilla.mozilla.org/show_bug.cgi?id=1590366

That I think was the nail in the coffin for the outline algorithm.

@eeeps thank you or thank you

I wrote an article that was #1 on the orange website for a bit earlier today

https://news.ycombinator.com/item?id=43649853

Starting March 31, 50% of Firefox beta 138 users will have the change where <h1> always has the same UA style, even in article, aside, nav, section.

Also, Lighthouse will fail a check if you have an <h1> without font-size specified.

Advice for web developers: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/Heading_Elements#specifying_a_uniform_font_size_for_h1

Context: https://mastodon.social/@zcorpan/113839012551439287

@eeeps @johannes it seems possible. Though changing object-fit would need to be a relevant mutation. File an issue 🙂

Last week I did a little talk on the brand new command&commandfor attributes! And you can watch it right here:

https://londonwebstandards.org/talks/everything-you-need-to-know-about-invoker-commands/

Our team (DOM Core) has an open position: https://www.mozilla.org/en-US/careers/position/gh/6527472/

Remote in any of Finland, Sweden, Denmark, Poland, Spain, Belgium, Netherlands, France, Germany, UK, Canada, or US.

@zcorpan @rem Actually if you reach out to Google Help and ask them if you can disable Gemini services on your Workspace account, they will help you do this (after being connected to a few different support agents).

I now have options in Google Admin > Generative AI > Gemini for Google Workspace settings to enable / disable for services such as Google Docs, Meet, GMail.

@rem ability to turn it off is only available on Enterprise 🙃

(This is a joke, but it might be true.)

@mb21 Yes. See compat analysis at https://github.com/whatwg/html/issues/7867#issuecomment-1977647444
and
https://github.com/whatwg/html/issues/7867#issuecomment-2595987424

While some will look worse, there are also some that will look better or as intended with the change.

Firefox Nightly has shipped this for ~10 months and we have only received one bug report about a regressed site, and that site was quickly fixed.

- The automatic heading level (a.k.a. the outline algorithm) was dropped from the spec, but the default UA stylesheet remained. This is what we're trying to remove now.

- The default rendering was implemented in browsers, but not the heading level in the accessibility tree.
- Websites started to use sectioning elements, but didn't expect automatic heading levels. It was not possible for browsers to change that without breaking user expectations.