> But since when did a security flaw mean that we throw the entire piece of technology out?<p>Maybe when that piece of technology involves taking large amounts of code running at elevated privilege, and that was written by people who assumed that it would NEVER be exposed to untrusted code, and exposing it to untrusted code?
<i>So, Microsoft, does this mean you are going to kill 3D support in Silverlight, or does it mean you will add WebGL support to Internet Explorer?</i><p>Or are you going to fix Silverlight? Oh, you already did? Umm... well, then I guess we better get around to fixing our browsers, rather than putting our feet in our mouths.
A [somewhat exaggerated] summary: "there are so many security holes in web browsing already, why do you begrudge us a few more?". OK, I admit there is a kind of madhouse logic to this which I can't refute. There is already a flood of patches that I need to apply about every 5 minutes to something or other, and that's just the vulns that got identified and reported.<p>I certainly agree that nobody will be able to stop this - developers want the API, users want the games.<p>WebGL is currently turned on in Chrome 12, and the only way to turn it off is to add -disable-webgl to the command line. Which essentially means you can assume it's on everywhere, including on the computer of your bank's manager. This is what people miss when they say you can turn it off for yourself.<p>The security aspects of WebGL seem like they were banged out in about 10 minutes. I encourage all to read the Khronos paper on security (<a href="http://www.khronos.org/webgl/security/" rel="nofollow">http://www.khronos.org/webgl/security/</a>), and compare the level of presentation to anything which gets accepted at a security conference.<p>I don't know why I keep returning to this. I certainly don't think that WebGL is the end of the world. There will be some more holes and some more patches. I just think this is another case of the web development world shirking its responsibility to bring real security to browsing (what happened to all those projects which used virtualization to isolate sessions, which I first heard about 4 years ago?), and instead piling on more features without thinking the implications through.
Summary:<p>"Microsoft's position is not entirely unreasonable... [But] the same vulnerability exists in Silverlight 5... So, Microsoft, does this mean you are going to kill 3D support in Silverlight, or does it mean you will add WebGL support to Internet Explorer? A little consistency would be nice, you know?"
I know this sounds nuts, but if we're going to have this crap one way or the other, I'd prefer it stay in NSPlugins that already (appropriately) have a bad name and are opt-in, not opt-out.
The article linked within the post was much more insightful than the post itself.<p><a href="http://www.realityprime.com/articles/why-microsoft-and-internet-explorer-need-webgl" rel="nofollow">http://www.realityprime.com/articles/why-microsoft-and-inter...</a><p>It is however, incorrectly cited in the post as support for the author's argument, which it is not. The Reality Prime article makes the case that it is irrelevant how secure the platform actually is - it will likely come into mainstream use, and Microsoft needs to support it, whether they like it or not.<p>Also, the post fails to mention that there was an official Microsoft response to the vulnerability report, which stated that the vulnerability had been fixed in Silverlight 5.
Apple has taken an interesting middle approach on WebGL. They are only enabling WebGL to certified experiences in iOS. That happens to be ads for now, but it would be easy to extend this to other apps distributed through App Store.<p>That way developers have access to WebGL as an API for 3D, but Apple is not exposing the WebGL attack surface to the entire Internet. As the spec matures, GPU drivers are hardened, etc. they always have the option to open it up more.
It wouldn't surprise me if MS dropped the Silverlight browser plugin all together: it is becoming their mobile app technology and looks like it will also replace WPF on the desktop. It makes sense for them to drop the plugin and embrace HTML5 like they claim they are.<p>If they did, then where would the argument go?