« | Home | »

Doug Crockford: Go slow on HTML5 until security concerns are addressed

By Noah | September 29, 2010

There’s a very interesting article in the Web Security Journal quoting Javascript expert Doug Crockford on HTML 5 and security.  Doug’s point is basically:  we had bad security problems with HTML and the Web before HTML5 was proposed.  What should have been done was to focus on getting a good, clean, secure architecture for core features of the next release, and only then add new features.Doug worries especially about what are billed as Cross-site Scripting vulnerabilities (XSS).  Not only does the focus on new stuff distract from fixing old problems, the new features greatly increase HTML’s attackable “surface area”.  For example, there are many ways in which client-side storage could contribute to security flaws.  Furthermore, the great complexity of the HTML5 specification makes it much harder to rigorously reason about its security implications.

Little of this is new.  Doug has said these things before, and he does acknowledge that, security aside, the new HTML5 features will be valuable.  Nonetheless, his conclusion is:

HTML5 has a lot of momentum and appears to be doomed to succeed. I think the wiser course is to get it right first. We have learned the hard way that once an error gets into a web standard, it is really hard to get it out.

Striking the right balance will be very difficult in practice.  There’s a huge investment in HTML5 at this point, and slowing down to revisit security will be difficult.  I think Doug’s right that it’s an option that deserves very serious and sober consideration.

By the way, I picked up on this article from a posting by Dan Connolly, who adds some interesting musings and a bit of history.

Topics: Web, Internet, Computing | No Comments »

Submit a comment:

Please press the submit comment button below to submit your comment for posting. All comments are moderated, so your comment will not appear until it has been reviewed. The blog owner reserves the right to decline to post any comment for any reason. Also, by pressing the submit comment button, you confirm your acceptance of the legal agreement below. Please read it before submitting your comment.

Legal agreement: by pressing the submit comment button you grant to Noah Mendelsohn a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute your comment contribution and derivative works thereof. Noah Mendelsohn reserves the right to republish such material in any form, though reasonable efforts will be made to retain the attribution to you. You also confirm that you have not knowingly violated copyright or other applicable laws pertaining to material that you have quoted or reproduced in your comment. (Note: if this agreement is not acceptable, an alternative is for you to post your comment on your own blog or other public Web site, and to post a link to that here. That way, you may retain more complete control of your own material.)