Back in 2011, Microsoft announced that they would not be “endorsing” WebGL in its current form as a security precaution. The key concerns included the exposure of hardware functionality, a heavy reliance on third parties to secure web experience, and unproven denial-of-service protection capabilities. However, fast forward to now, Microsoft has added support for WebGL in Internet Explorer 11. Why?
Microsoft has made a few security improvements to allow the safe support of WebGL in IE11, no longer relying solely on the GPU for hardware acceleration. “We did a lot of analysis of vulnerabilities, we did threat modelling, and we have essentially a pre-screening stage. Think of it like SmartScreen for WebGL content; we screen WebGL content for dangerous and suspicious patterns,” Microsoft’s Internet Explorer boss Dean Hachamovitch stated in a recent interview.
“Running WebGL on top of the latest DirectX technology provides additional security. On other devices and operating systems it’s possible to overwhelm the GPU and get all sorts of bad things happenning. On the DirectX architecture there is time-out detection and recovery. If you overwhelm the GPU, instead of taking down the whole system, it will just reset the GPU. So we feel we have defense in depth and, with the changes in the standard, that makes it safe to implement,” he adds.
The Internet Explorer team actually had to convince Hachamovitch to add WebGL support, since he was the one who was hesitant about adding it. He changed his mind as soon as the WebGL spec included technology called CORS. This technology effectively prevents image stealing attacks.
While Microsoft may have thought it was a security risk to use WebGL, it seems that the company has changing its mind after seeing Google’s Chrome dominate in market share. The internet is shifting towards a more 3D and immersive experience, so having WebGL support is a must for Internet Explorer.