> I'm sure others can list more recent FUD and lies put out by Microsoft.
Really? I had a PC on which Firefox and certain WebGL content would hard crash my machine thanks to what I resume are video card driver bugs. (Upgrading video card drivers resolved that particular instance of that problem)
Given that, it is by no means unreasonable to assume that WebGL content might be able to hit security holes in video card drivers. What that entails, who knows. Presumably going right away and saying "sure, we'll just add a hole to let people stream code directly from the web right into your video card" sounded like a horrible idea.
And since IE is shipped with the OS, level component, it has to be supported to customers for-bloody-ever. (Or so it seems at least!) So there is a higher bar, and all of a sudden releasing patches isn't an "auto-update the world and hopefully don't break anyone" sort of thing like it is with Chrome or Firefox, but now it becomes a "well have to test this patch across an almost unimaginable number of test scenarios and machine configs because we don't want to break functionality that any one of our large customers rely on".
At that point, adding a new feature, which even sorta smells like it could open up a whole new can of worms, becomes, for good reason, somewhat less desirable!
(Disclaimer: I work for MS, but in a completely unrelated area, opinions are my own, those of an overly paranoid-for-the-customers software engineer.)
You do realize MS continued to bash WebGL long after the CORS issue was resolved. The point is there's still reason to hate MS. They are still a bad company that does arguably bad things.
I'm all for them switching to sweetness and light but the OP is suggesting their evil ways were 20 years ago. They're not. Their evil ways are still recent.
(Edited to add: I am not aware of any statements on WebGL from MS beyond that blog post, but I don't follow those circles, so I'll accept your word that they continued bashing it after CORS was introduced. However, people I'd trust more than either Google or Microsoft employees, like Carmack and various security researchers on HN like Daeken, agreed that WebGl is a security risk, so I disagree that counts as bad behavior on MS's part.)
So why did Microsoft go ahead and include WebGL? Why, because they had to respond to Google who did exactly the same thing that Microsoft was lambasted for doing with IE: pushing proprietary, unsafe technology before it became standardized and forcing other browsers to catch up. But since you work for Google, I am sure you consider Google's actions to be perfectly not "evil"...
> But there’s more! Not only is WebGL inherently flawed, but Google — one of WebGL’s strongest proponents — even knew about the DoS and cross-domain image vulnerabilities months before they were thrust into the limelight by Context’s report. Not deterred by these flaws in the WebGL spec or its implementation, Google pushed ahead and turned on WebGL by default in February 2011, in Chrome 9.
> As terrifying as that is, we now have to wonder why Google rushed the deployment of a nascent, dangerous technology...
Note that it was enabled before the v1 of the specification was even released. But worse, when I follow the embedded links in the top para, why I do believe they show that you ("you" as in not Google, "you" as in you specifically) were aware of these security flaws before anyone else reported it, and yet you (as in Google) went ahead and enabled WebGL in Chrome by default. And then you accuse Microsoft behaving badly! Really?!
> They are still a bad company that does arguably bad things
I'd like examples of Microsoft "behaving badly", preferably:
1) stuff that isn't religious fanaticism;
2) stuff that isn't driven by vested interests that are not in everybody else's interests;
Except for the CORS issue have you seen an exploit related to WebGL? As detailed in my post it's unlikely there are any. In fact it's far more likely there are bugs in JavaScript implementations or JPEG decoders or video decoders or font renderers than WebGL.
As for the CORS issue, MS shipped CSS first and CSS had the same issue. Namely that you could change the :visited property to something heavy and then through timing divine a user's web history. Once that was discovered it was fixed. I suspect it was similar to WebGL where someone was like
"hey, you know, it might be possible to use timing to figure out some stuff"
"yea, but that seems pretty unlikely"
a few months later someone shows a working timing attack.
"oh shit, let's fix that"
As for DOSing, as detailed in my post, we (or I) didn't see that as the same level of important because there's no incentive to do it. Sure we worked on fixing it (and that's why WebGL is now enabled by default on several Android devices who's drivers can deal with the issue). But even on devices that can't deal with the issue there's no incentive to DOS someone's machine because they aren't going to visit your website a 2nd or 3rd time if you do that and you weren't able to do accomplish anything else except to get them stop visiting your website. Awesome. I'm going to go make a site right now that people actively avoid visiting. Yea!
You also realize that Mozilla started the WebGL spec, not Google and that Mozilla also released WebGL long before v1. Opera was also involved and MS was welcome to join but never bothered. WebGL is not proprietary. Never has been. So claiming Google is copying Microsoft by pushing proprietary standards is pretty disingenuous.
> Except for the CORS issue have you seen an exploit related to WebGL?
And as far as I can tell, that was the issue MS needed fixed before going ahead with WebGL, but then again I haven't been following their actions in this area. On the other hand, another Microsoft employee seemed to agree with Mozilla and Google: http://www.theregister.co.uk/2011/06/20/webgl_/
"And, frankly, if Microsoft has taken a formal position against WebGL, no one I know got the memo.”
So maybe it was only the MS Security team being paranoid, as they are supposed to be?
>As for the CORS issue, MS shipped CSS first and CSS had the same issue.
Wouldn't that indicate that they have more reason to be wary of things like this?
>You also realize that Mozilla started the WebGL spec, not Google and that Mozilla also released WebGL long before v1. Opera was also involved and MS was welcome to join but never bothered. WebGL is not proprietary. Never has been. So claiming Google is copying Microsoft by pushing proprietary standards is pretty disingenuous.
Mozilla doesn't have clean hands in this either. It may not be proprietary, but releasing an implementation with known vulnerabilities? Enabling something widely used connected to the Internet without sufficient hardening is exactly what MS did with Win95/WinXP/ActiveX, and it created a decade of malware-infested Internet. They also got widely excoriated for that. I wouldn't blame them for being cautious going forward.
> Want some MS evil evidence? Just Bing it
So negative advertising is "evil"? I knew F/OSS folks thought MS's publicity against their religion was "evil", because, well it offends their personal beliefs... but so is negative advertising against your employer? Sorry, but Google engages in a lot of that itself, it's just that people in this echo chamber uncritically accept it as fact because it confirms their biases.
A company that has objections to a spec discusses those objections with others. A company that is trying to spread FUD hires a 3rd party company to dig up dirt.
Microsoft did the latter.
I'm sorry you can't see it but Microsoft was clearly not showing concern for WebGL's security. As pointed out before, if they had they would have also have brought up Silverlight and Flash 11, which both provide the same features as WebGL.
Really? I had a PC on which Firefox and certain WebGL content would hard crash my machine thanks to what I resume are video card driver bugs. (Upgrading video card drivers resolved that particular instance of that problem)
Given that, it is by no means unreasonable to assume that WebGL content might be able to hit security holes in video card drivers. What that entails, who knows. Presumably going right away and saying "sure, we'll just add a hole to let people stream code directly from the web right into your video card" sounded like a horrible idea.
And since IE is shipped with the OS, level component, it has to be supported to customers for-bloody-ever. (Or so it seems at least!) So there is a higher bar, and all of a sudden releasing patches isn't an "auto-update the world and hopefully don't break anyone" sort of thing like it is with Chrome or Firefox, but now it becomes a "well have to test this patch across an almost unimaginable number of test scenarios and machine configs because we don't want to break functionality that any one of our large customers rely on".
At that point, adding a new feature, which even sorta smells like it could open up a whole new can of worms, becomes, for good reason, somewhat less desirable!
(Disclaimer: I work for MS, but in a completely unrelated area, opinions are my own, those of an overly paranoid-for-the-customers software engineer.)