A new blog posting by Microsoft Security Research and Defense, with the combative title “WebGL Considered Harmful,” has reignited the WebGL security debate. Recent moves by the Khronos Group and browser makers supporting WebGL (that is, pretty much everybody but Microsoft) had quelled the noise for about a month. Now, with Redmond weighing in on the negative side of the issue, we can expect the rhetoric around security to heat up again. That much seems clear. What seems less clear is the motivation: does Microsoft have genuine security concerns, or is this a tactical smokescreen to mask a nefarious strategy? Put another way: is Microsoft up to their old API tricks? Conspiring minds want to know.
A paranoid observer might wonder if Microsoft sees WebGL as a threat to its Silverlight product– I don’t see how they couldn’t– and is just using the security issue as an excuse to stonewall WebGL. And while it may just be paranoia, indulge me for a moment, because there is an aspect of history repeating here.
Web 3D old-timers may recall Microsoft’s failed attempt to derail VRML, originally known as ActiveVRML, subsequently renamed to Chrome (no relation to Google’s browser) and again renamed to Chromeffects, back in 1998. At the time, VRML was gaining serious traction and solid vendor support. Meanwhile, a cohort of Sun graphics transplants, with the help of the DirectX team and IE teams, lobbied the Web3D Consortium to consider ActiveVRML as an alternative standard. After much debate, the ActiveVRML initiative was resoundingly defeated within the Consortium, delivering MS a shocking (if not truly surprising) blow. The net result: Microsoft picked up their ball and went home. Chromeffects was released as its own competing thing within IE, and Microsoft’s built-in VRML support (supplied by yours truly btw) was mothballed.
Ultimately, Chromeffects was no more of a commercial hit than VRML, and within a few years of its introduction it withered. But it never died: Chromeffects was eventually resurrected as– you guessed it– Silverlight. The code may be unrecognizable from the original ActiveVRML but many of the key concepts remain, such as 2D/3D media integration, authoring with built-in XML tags, and hardly any actual 3D rendering. Silverlight is a conceptual, if not genetic, descendant of ActiveVRML. Sure, this whole line of thinking might be a stretch… but I’m just sayin’.
Of course, 1998 was a very different time: the OpenGL/DirectX war was in full swing simultaneous with the IE/Netscape war, and Microsoft was in the dominant position with application developers. So while they lost the ActiveVRML battle, they won the two big wars handily, largely because of their leverage with developers. Cut to 2011, however, and we see a very different picture. IE is no longer the market share leader browser (accordingly to many of today’s stat counters) and MS is fighting a battle for developer mindshare on several fronts. The strong-arm tactics they formerly employed with developers aren’t nearly as effective as they were back then. So this conspiracy theory might come up short, unless you consider another very effective tactic from the MS playbook: sow Fear, Uncertainty and Doubt. In the VRML days, performance was the boogeyman with which competitors generated FUD. Today, security might be the hobgoblin of choice.
For what it’s worth, this time around I think we can take MS at face value about this security thing. I really don’t believe they are being that crafty. The security issue is real and should be of concern within the industry. However, the tone and title of the MS blog post, plus alarmist reporting by CNet and ZDNet on the topic don’t help. Particularly disturbing is the poll-within-the-article on ZDNet: the article is titled “Microsoft is right to label WebGL ‘harmful'”, and within the article there is a poll asking, “Do you think WebGL is ‘harmful’?” And guess what: over 50% of the respondents do. Now there’s a shocker. Framing anyone?
Despite the scary going around, I am optimistic that cooler heads will prevail. The coolest head in this debate so far, ironically, rests on the shoulders of Microsoft employee Avi Bar-Zeev. Writing in his personal blog he advocates a balanced look at the situation and argues that Microsoft ultimately needs to support WebGL because web developers will come to demand it. Avi has hit the crux of the matter: Microsoft’s success or failure rests largely on, as it always has, its application developers. My prediction is that developers aren’t going to be scared away from WebGL based on FUD, intentional or unintentional. It’s just too cool, and it’s already supported in the other browsers. So, yeah, MS will come around… it’s just a matter of time.