Though Internet Explorer 9 has made great strides in improving Internet Explorer’s standard support, and version 10 is similarly set to include a whole range of new features, one thing that Microsoft hasn’t even touched is WebGL, a specification that allows webpages to create 3D graphics using an API based on the venerable OpenGL API. A blog post today from the company’s security engineers may explain why: they don’t think there’s any way to implement it safely.
Three main concerns are enumerated in the post: WebGL exposes too much sensitive, privileged, or unhardened code to the Web; depends too heavily on third-party code for security; and is too susceptible to denial of service attacks. The first of these is perhaps most significant. Video hardware and video drivers are traditionally only exposed to relatively “trusted” code—programs that the user has explicitly chosen to install. Display drivers are notoriously unstable and buggy, and developers of 3D software have to go to quite some effort to ensure their programs do not use (or misuse) the 3D hardware in such a way as to cause problems.