In place of the regular WebGL roundup, here’s an update on the state of play regarding the security issues that were raised last week. You might also like this post on ReadWriteWeb.
In our last episode, Context, a security firm, announced that in addition to the (fixed) cross-site image problems and potential for rogue shaders freezing WebGL browsers, they’d also found a way that could allow attackers to write pages that (on Mac OS X and Windows XP only) could view other parts of the user’s screen. A fix for this problem was made live in Firefox 5, released 21 June; for whatever reason, Context chose to announce this vulnerability five days before the scheduled release. Microsoft also chose the same day to weigh in with a blog post entitled “WebGL considered harmful“.
Now read on…
On 16 June, Microsoft Principal Architect and 3D expert Avi Bar-Zeev blogged “Why Microsoft and Internet Explorer need WebGL (and vice-versa)” — which shows that Microsoft (like any large organisation) has different people with varying views. He writes:
[i]f Internet Explorer does not support WebGL and WebGL nevertheless becomes the de facto standard for 3D on the web (which it will, IMO), then IE will be in an uncompetitive position to either help fix any problems and moreover retain or grow market share relative to other browsers. That would be sad, esp. given how long the product cycles are and how long it would take to course-correct. We could miss the boat entirely.
On the 20th, Mozilla’s Benoit Jacob submitted a bug report to Microsoft regarding a problem in Silverlight 5. Yes, you guessed it — there are “Problematic system DoS scenarios” (to quote Microsoft’s “considered harmful” post) in it. Now, Silverlight 5 is beta, and Microsoft say in their responses to the bug report that the problem has been fixed in their release candidate. But as Mozilla VP Mike Shaver points out, if it’s fixable in Silverlight then it will be fixable in WebGL; and Mark Callow points out on the WebGL developers list (oddly not showing in the archive) that having Microsoft’s weight behind fixing bugs in graphics drivers could be very useful
Finally, on 21 June, Gregg Tavares (who works for Google, but blogging in his personal capacity) posted a nice — if somewhat grumpy — explanation of the current situation, albeit claiming that Context were hired by Microsoft (which would be interesting if true, but I’ve not seen any evidence for it yet).
So, what’s the current situation? Well, Context have found two security holes and one possible Denial of Service attack in WebGL. The security holes have been fixed in the current releases of the two WebGL-supporting browsers. The DoS remains possible; however it’s also present in the Silverlight 5 beta and will fixed in the release version, so if it’s a “real” fix then something similar will get into WebGL implementations swiftly.
In the meantime, certain people at Microsoft are saying that WebGL is a bad thing; it would be easy to see this as a conspiracy of some kind, or an attempt by MS to create FUD about a technology they don’t control (and Tony Parisi, co-creator of VRML, makes an interesting argument for that case), but there’s no definite evidence — and it certainly seems like there are at least some people there who think that WebGL is the way forward.