Microsoft no WebGL support - it's insecure
Written by Mike James   
Friday, 17 June 2011

After declining to say whether it would or would not support WebGL, Microsoft has now come out and attacked it as being too insecure for them to build into IE 10. Is this just another example of "security theater"?

Microsoft looks set to sink one of the most exciting features of the new web that we tend to label HTML5, even if it isn't. WebGL is a standard for creating 3D graphics in a web page - within a Canvas object to be precise. It is a finalized standard but at the moment only Chrome and FireFox support. It is clear that to be an accepted standard either IE has to also support it or IE has to become a forgotten hardly used browser - and neither seem very likely at the moment.




After declining to say whether it would or would not support WebGL, Microsoft has now come out and attacked it as being too insecure for them to build into IE 10.

The Microsoft Security Research & Defence group have issued blog post titled "WebGL Considered Harmful" - an emotive title if there ever was one. Basically they say that WebGL exposes too much hardware without putting enough security restrictions on it.  They make three points

  • Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive
  • Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience
  • Problematic system DoS scenarios

The first two points are essential the same i.e. WebGL lets programmers use the GPU and the only controls on this are provided by third party drivers which are generally not used to security issues. The final point is that a machine could be brought down by GPU code that occupies the machine 100% of the time.

Really what this comes down to is

"WebGL and the whole remote GPU thing is so new its scary".

Of course this is what security people are supposed to think and you can't really blame them for doing their job. It is what has always happened in the development of the web and why from a programming point of view it is still in the dark ages. It's a game of cat and mouse between the security creators and the applications creators.

For example the security people put a block on cross site scripting i.e. you can't dynamically download JavaScript from another site. Then the apps programmer go an invent JSONP which effectively restores the ability to dynamically download JavaScript. 

This "block a facility - find another way" is repeated over and over - it is the software equivalent of what in the wider world is referred to as "security theater" i.e, make it look good but it really doesn't do anything worthwhile.

In the wider world you can stop almost anything from toner cartridges to bottled water in the name of security. It now looks as if you can do the same thing in the programming world!

What we need is joined up security planning not the patch work mess of restriction built on top of other restrictions so complex that in the main you have to switch them all off to get some work done.

And so we arrive at the part of the patchwork that is the security problem lurking in WebGL.

The particular bug that started this whole episode is a flaw in FireFox which allowed a GPU program to steal the contents of another window. According to the Khronos group, who are in charge of WebGL, this was fixed and FireFox 5 doesn't have the vulnerability.

This is not to say that there aren't security problems in WebGL and more to the point the graphics drivers it uses - but not using it because of security problem is not the right way to go. At the very least Microsoft could implement in a switched off mode and let the user turn it on after suitable warnings. This is what Firefox does but Microsoft clearly thinks that the user is too stupid to understand and make their own decision on the cost benefit of 3D.

There is also the point that we really do want 3D in the browser. How can the web evolve if, because of security reasons we are stuck with just 2D graphics. You also have to remember that  Microsoft is responsible for holding back the web for 10 years by not adopting the 2D graphics facility SVG when it was a new standard - is history about to repeat itself? Given that the 3D problems are in the drivers how can Microsoft accept any solution to the 3D problem - including its own problematic DirectX?




So to be entirely clear - Microsoft is saying that we can't have 3D graphics in web pages because it is just too dangerous. It sounds like a convenient excuse to me and raises the question of why Microsoft really doesn't want to support WebGL in IE 10?

Whatever the reason, it looks like Microsoft has just put a very big brake on the development of the web in the name of security.


A blog Why Microsoft and IE need WebGL (and vice-versa) by Avi Bar-Zeev a principle architect at Microsoft  contains some  interesting thoughts and observations:

"From the one discussion I’ve had with leaders from IE, I can reassure folks outside Microsoft that this issue is actually about security and doing the right thing for users. It’s not about “GL” vs. “DX” in the name, as some suggest. It’s not about wanting to disrupt any other browsers, as Microsoft has often been accused. These leaders are genuinely concerned about the possibility that someone on a malicious website could use WebGL to disrupt your experience in a serious way, and incidentally that it would appear to be Microsoft’s fault…"


"Those leaders may not be fully aware of how big a movement WebGL really is and how it is going to transform the web yet again. But the reality is, if Internet Explorer does not support WebGL and WebGL nevertheless becomes the de facto standard for 3D on the web (which it will, IMO), then IE will be in an uncompetitive position to either help fix any problems and moreover retain or grow market share relative to other browsers."

So rather then a conspiracy to place DirectX over OpenGL (which is what WebGL is based on) it might be that Microsoft is lead by people who really aren't in touch with the technology. If you also look at the way that Microsoft is reacting to HTML5/JavaScript this certainly fits.

Further reading:

WebGL Considered Harmful

IE9 launch a threat to web development

WebGL 1.0 finalized - the state of play

Getting started with WebGL



If you would like to be informed about new articles on I Programmer you can either follow us on Twitter or Facebook or you can subscribe to our weekly newsletter.



OpenSilver 2.2 Adds LightSwitch Compatibility Pack

OpenSilver 2.2 has been released with the addition of a LightSwitch Compatibility Pack designed to provide a way to run legacy Visual Studio LightSwitch applications on modern browsers. The open-sourc [ ... ]

JetBrains Releases Aqua Test Automation IDE

JetBrains has announced the public release of Aqua, its IDE designed for test automation. The full release follows a preview in 2022.

More News

Last Updated ( Saturday, 18 June 2011 )