The relentless addition of cool features in HTML5 is getting a lot of web developers excited and there’s really no doubt that it will be a huge step forward for the web. The more I follow the WhatWG mailing list though, the more I think we’re long past the era where it was considered safe to visit web pages. I’m not talking about browser security holes which have been around for a fair while and certainly do pose a risk, I’m talking about the things that are actually by design.

There’s nothing seriously threatening, just an ongoing increase in the amount of power and the amount of knowledge that web pages get. For example, it used to be possible to store a tiny amount of data in cookies in a way that was considered transient and ok to delete at anytime. Now you can store up to 5MB and there’s a strong argument being made that it should be considered user critical data and not easily cleared like cookies. In another thread people are asking for notification when the user has been idle for a period of time – great for chat applications and the like, but expanding what web pages can track about you1{#footlink1:1251998237568.footnote}.

In my mind there’s a mental model of how dangerous things that’s something like:

Static data is like an jpeg image or a plain text file. You read it but it doesn’t do anything active – no scripting nothing dynamic at all. It could still trigger a buffer overflow or some other security hole in the software you’re using but otherwise it’s inert.

Active data is like a web page with some simple JavaScript that modifies the page.

Sandboxed Applications are like iPhone applications. In theory they should be contained and safe, but you should still think carefully before installing them because they’re real applications that while limited can do actual damage. On the iPhone that actual damage involves unrestricted access to all your contacts and the network among other things.

Applications are pretty obviously anything else. While most systems these days put restrictions on them in some way such as file permissions, they are essentially unrestricted.

The web started out as static data, then when JavaScript was invented became active data. When GMail came along and people worked out how to really leverage JavaScript it moved to somewhere between active data and a sandboxed application2{#footlink2:1252002357376.footnote}. People want to build real applications on the web, which essentially means they need to keep being pushed along that progression. The only problem is that as you increase the abilities of web pages, you also decrease the safety, not just because it’s a bigger attack surface, but ultimately because the more a web app can do, the more likely it is that you want to have control over it.

I’m left wondering if it’s possible to create a UI that lets users choose exactly what applications can do, without either confusing them or much worse, bombarding them with permission dialogs. Flash certainly failed miserably at it – if you ever turn off local storage in flash and try to browse the web, you’ll find it almost impossible to use most flash programs because they just repeatedly ask for permission to store data. Facebook and most other web apps that allow third party access fail at it too – if you install a Facebook app it gets access to pretty much everything. I’m sure in theory and maybe even in practice they could have more fine-grained permissions but the UI never makes them obvious and I’m not sure it could.

The plus side of all this, is that so far the main issue is really that users are losing their privacy, but as web apps want to do things like monitor folders for new files or any of the other niceties that desktop applications can take advantage of3{#footlink3:1252003623044.footnote}, it’s going to become more and more of an issue. How are we going to ensure that clicking a link is still safe?

1 – Currently they can only tell if you are using your browser or not, if you switch to another application they can’t tell if you walk away from your computer or if you’re busily using a different application.↩

2 – Depending on the plugins you have installed and if you approve special rights it could be completely unrestricted of course. ActiveX made a mess of that model, causing major security problems in Internet Explorer and has since been put behind a lot of scary warning/approval processes.↩

3 – and the Chrome OS is certainly going to be pushing the envelope very quickly in this area↩