Define read-back-allowed rendering

[foolip]

• At least two implementers are interested (and none opposed):
  • …
  • …
• Tests are written and can be reviewed and commented upon at:
  • …
• Implementation bugs are filed:
  • Chromium: …
  • Gecko: …
  • WebKit: …
  • Deno (only for timers, structured clone, base64 utils, channel messaging, module resolution, web workers, and web storage): …
  • Node.js (only for timers, structured clone, base64 utils, channel messaging, and module resolution): …
• Corresponding HTML AAM & ARIA in HTML issues & PRs:
• MDN issue is filed: …
• The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

---

💥 Error: Wattsi server error 💥

PR Preview failed to build. (Last tried on Jun 16, 2026, 2:19 PM UTC).

More

PR Preview relies on a number of web services to run. There seems to be an issue with the following one:

🚨 Wattsi Server - Wattsi Server is the web service used to build the WHATWG HTML spec.

🔗 Related URL

Error output:

      <!DOCTYPE html>
      <html>
      <head>
          <meta name="viewport" content="width=device-width, initial-scale=1">
          <meta name="robots" content="noindex">
          <style>body,html{height:100%;margin:0}body{display:flex;align-items:center;justify-content:center;flex-direction:column;-webkit-font-smoothing:antialiased;text-rendering:optimizeLegibility}p{text-align:center;font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Cantarell,Fira Sans,Droid Sans,Helvetica Neue,sans-serif;color:#000;font-size:14px;margin-top:-50px}p.code{font-size:24px;font-weight:500;border-bottom:1px solid #e0e1e2;padding:0 20px 15px}p.text{margin:0}a,a:visited{color:#aaa}</style>
      </head>
      <body>
      <p class="code">
        Error code: 503      </p>
      <p class="text">
        Well, This is unexpected. An Error has occurred, and we are working to fix the problem! We will be up and running shortly. Try refreshing the page or try again in a few minutes.
      </p>
        <div style="display:none;">
          <h1>
    upstream_reset_before_response_started{connection_termination} (503 UC)      </h1>
          <p data-translate="connection_timed_out">App Platform failed to forward this request to the application.</p>
      </div>
      </body>
      </html>
    

This seems to be an issue with the Wattsi Server service. PR Preview doesn't manage this service and so has no control over it. If you've identified an issue with it, you can report the issue to the maintainers of Wattsi Server directly. Please be courteous. Thank you!

If you don't have enough information above to solve the error by yourself or if the issue doesn't seem related to Wattsi Server, you can file an issue with PR Preview.

[annevk]

I think this means the website ends up violating the law in certain jurisdictions, we might want to have a warning here or alongside the eventual feature that uses this. Or maybe we should not support media elements given that we cannot make them accessible?

[foolip]

The other option would be to respect the user settings and say that it's better on balance to leak these settings than for video to be impossible with HTML-in-Canvas. What's your preference?

[annevk]

We cannot leak these settings. They would allow for unique fingerprints in many cases of an already vulnerable population.

[nigelmegitt]

What's the motivation behind privacy-preserving rendering of subtitles and captions not taking into account user preferences? As I understand it, WebVTT rendering done by the UA or OS is already supposed to be privacy-preserving, and the current design choice is that there are no Web APIs for querying user preferences or for extracting styling choices from the rendered captions.

It seems odd that privacy-preservation should have a negative impact on accessibility settings that aren't exposed to pages.

(aside: I actually don't think the argument for prohibiting Web APIs for accessing user settings holds up any more, but that's a whole different discussion)

[annevk]

This is a rendering mode that allows for arbitrary read back. Maybe instead of calling it privacy-preserving we should call it "read-back rendering mode".

[nigelmegitt]

That would be a lot clearer, yes, seems like I got a whole different impression from the name alone.

Not sure if this PR is the right place for the discussion (please point me to the right place: there's no linked issue), but since I'm here: Is this related to test drivers/engines? I'd expect test engines, when inspecting rendering results, to be able to choose whether to use this "read-back rendering mode" or to be able to read back the result rendered with a provided context of specific user settings.

[foolip]

After discussion with @annevk on chat I'll rename it "read-back-allowed rendering" since read back might not actually happen.