« James Gosling Interview | Home | Another Gig with Rock City this Saturday »
Doug Crockford: Go slow on HTML5 until security concerns are addressed
By Noah | September 29, 2010
There’s a very interesting article in the Web Security Journal quoting Javascript expert Doug Crockford on HTML 5 and security. Doug’s point is basically: we had bad security problems with HTML and the Web before HTML5 was proposed. What should have been done was to focus on getting a good, clean, secure architecture for core features of the next release, and only then add new features.Doug worries especially about what are billed as Cross-site Scripting vulnerabilities (XSS). Not only does the focus on new stuff distract from fixing old problems, the new features greatly increase HTML’s attackable “surface area”. For example, there are many ways in which client-side storage could contribute to security flaws. Furthermore, the great complexity of the HTML5 specification makes it much harder to rigorously reason about its security implications.
Little of this is new. Doug has said these things before, and he does acknowledge that, security aside, the new HTML5 features will be valuable. Nonetheless, his conclusion is:
HTML5 has a lot of momentum and appears to be doomed to succeed. I think the wiser course is to get it right first. We have learned the hard way that once an error gets into a web standard, it is really hard to get it out.
Striking the right balance will be very difficult in practice. There’s a huge investment in HTML5 at this point, and slowing down to revisit security will be difficult. I think Doug’s right that it’s an option that deserves very serious and sober consideration.
By the way, I picked up on this article from a posting by Dan Connolly, who adds some interesting musings and a bit of history.
Topics: Web, Internet, Computing | No Comments »