As discussed in, some forms of dangling markup attacks rely upon injecting an unclosed attribute that sucks up portions of a page, and exfiltrates them to an external endpoint (e.g. `<img src='` eats the page until the next `'`). This is possible because the URL parser helpfully discards newline characters. It would be lovely if we could make the parser less helpful.


Editor's draft

Status in Chromium


Enabled by default (tracking bug) in:

  • Chrome for desktop release 61
  • Chrome for Android release 61
  • Android WebView release 61

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • No signals


Last updated on 2021-06-23