Microsoft says WebGL browser games are "harmful"

Adam Oxford at

Tank World - a simple WebGL game

Bad news for open standards browser-based gaming: Microsoft's has said that it won't be supporting WebGL now or in the foreseeable future.

The announcement was made via its Technet blog site, under the rather damning headline “WebGL considered harmful”.

The development of WebGL is being managed by The Khronos Group, which is also responsible for OpenGL, OpenCL and so on. WebGL is a cross platform API designed to give your browser access to your graphics card and enable hardware acceleration of JavaScript games.

According to security experts at Microsoft, the problem with WebGL is not so much any existing security holes, but the fact that it gives online programs so much access to the inner workings of your PC. That means interacting with a lot of third party drivers which will make future issues many and hard to spot.

“While it may be possible to mitigate these risks to some extent,” says the Technet blog, “The large attack surface exposed by WebGL remains a concern.”

It's not just Microsoft who thinks WebGL is a problem either. Yesterday, security firm Context Information Security sent us a press release saying that WebGL is a "back-door threat" with elements "not fit for purpose". They specifically highlight an issue whereby a WebGL app can take a screenshot of the client PC and send oit back to the server. They also point out the current – but soon to be patched – vulnerability in Firefox which allows a WebGL app to execute a DoS attack by opening lots of windows on the desktop. This is the second time Context has spoken out against WebGL.

What Microsoft's statement means for WebGL at this point isn't clear. Internet Explorer doesn't support WebGL right now anyway: presumably this announcement means that Windows Phone and Windows 8's fancy new HTML5-friendly interface won't either.

While Microsoft's argument about third party drivers and unpredictable security holes makes sense, it's hard not to reason that a single vendor controlling the entire chain of control from server to graphics card undoubtedly benefit said vendor too. While the security concerns are obviously relevant, this also looks like the opening salvo in a similar battle to the OpenGL/DirectX one over a decade ago. That's a battle less likely to have a clear winner if Microsoft ends up facing off against the likely supporters of cross platform web gaming: Google and Apple. You could probably throw Facebook and Amazon into that too.

Jonathan Hirshon, a spokesperson for Khronos Group, told PC Gamer that browser developers are still working towards full compliance with the WebGL standard.

"All browser vendors are still working toward passing the WebGL conformance suite," Hirshon said, "Only once they have successfully done so can they claim support."

Which means that it's early days for WebGL. While you wait for proper browser support, though, it might be worth taking Context's main piece of advice and disabling it in your browser settings if you run Chrome or Firefox (the only browsers to support it). Details of how to do that can be found here.


Tags:   ,