Beyond the self-serving statements that most everyone involved in this story are making, there's a real issue here. That Silverlight has (or had) vulnerabilities of the sort that make Microsoft hesitant to implement WebGL is ironic, but it's also interesting because it shows that they've got a point that such vulnerabilities can be a problem.<p>This storyline, like so many others, serves as an occasion for people to line up with one team or another and make whatever arguments support Google, Microsoft, Apple, Facebook, or whoever they're rooting for.<p>But obscured behind all that smoke is a subtle, nuanced conversation to be had about the problem itself: What are the essential performance vs security tradeoffs? What can be done about them? And then there are larger issues, like this: A curated app store model where code is vetted and apps are run in a sandbox might significantly reduce users' vulnerability to attacks like this, but at what cost, both to users, developers, and those running the app store?
In some ways, WebGL reminds me of OpenDoc - a consortium of competitors offering the mashup model as an alternative to OS implementation while ignoring salient performance issues. In no small part because the proposal breaks the architecture of Microsoft's implementation and is coupled with a PR campaign to negate the implementation advantage Microsoft has based on the nature of their product portfolio and market segments, i.e. as an OS provider.<p>This isn't to say that Silverlight is the solution - but rather that the idea of giving browsers a generic ability to bypass the operating system and access the hardware is different from how Silverlight is implemented in the vast majority of cases. The Silverlight implementation is provided by the OS vendor not a third party.<p>It's not that WebGL doesn't have a reasonable goal, but design a sandbox without a lid and you wind up with cat turds. A system which depends on the priority which the authors of graphic card drivers assign to security and mass market hardware vendors assign to driver updates and continued support within the consumer segment doesn't seem like a plan consistent with the potential for mischief the web offers.<p>[<a href="http://gregmaletic.wordpress.com/2006/11/12/opendoc/" rel="nofollow">http://gregmaletic.wordpress.com/2006/11/12/opendoc/</a>]<p>[<a href="http://en.wikipedia.org/wiki/Opendoc" rel="nofollow">http://en.wikipedia.org/wiki/Opendoc</a>]
That's incorrect. Microsoft, I believe, is only allowing low level access via drivers that have been checked for safety, and most random drivers from vendors are NOT allowed such access (even those that pass the normal driver certification).<p>The article from the Google guy a few days ago said their approach is that they an include in WebGL workarounds for all the buggy drivers. That approach has no chance of working.