We recently learned that Microsoft is experimenting with new ways to get more customers to use its Edge browser. Some of these tactics have been deemed shady by the competition, who believe that Redmond is once again stifling user choice. While the jury is still out on who is on the right side of the fence, there has been another interesting development in Edge. The browser is ditching support for XSLT, following in the footsteps of other competitors.
Microsoft has released the latest security review for its upcoming version of Edge, v147, and while the baseline continues to be Edge 139, the company has highlighted an important new policy. Edge version 147 is set to be released to the public this week, but we now know that it contains an enterprise policy for XSLTEnabled. As the name suggests, this configuration controls the availability of XSLT in Edge.
For those unaware, XSLT stands for Extensible Stylesheet Language Transformations, and is the language used to transform XML documents into formats like HTML. It was recommended by the World Wide Web Consortium (W3C) in 1999, and while multiple versions have come out since then, browsers today really don"t support it actively. In addition, there are also other modern frameworks and technologies that offer the same functionalities as XSLT in a more flexible manner.
But perhaps the biggest reason for the deprecation of XSLT is the cybersecurity risk associated with it. We have reported in the past how one of its underlying libraries, libxslt, has a major security flaw that still hasn"t been fixed due to a lack of active maintenance for the legacy project. Usage of XSLT has waned too; only 0.02% of webpages loading today use the language, and less than 0.001% use XSLT transformations.
As such, Microsoft believes that its latest policy should be used by enterprise customers to evaluate the effect of disabling XSLT. This move isn"t just limited to Edge either; it"s a global initiative. Upstream Chromium began testing a similar policy in Chrome 146 last month, with complete removal planned in Chrome 176 around August 2027. Similarly, two other major browser engines, WebKit (used in Safari) and Gecko (Firefox), are getting rid of the language soon, too.
Microsoft has urged organizations to leverage Edge 147 to evaluate the effect of disabling client-side XSLT and treat it as a technical debt moving forward. If you are impacted, the migration process itself might not be straightforward, but you can find some more details about it here.