W3C Buries Web SQL Database Standard

Friday, December 03, 2010

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

I have to admit I didn't see this coming... it seems they've reached an impasse.

The W3C page on "Web SQL Database" (defined as "an API for storing data in databases that can be queried using a variant of SQL" reads like this:

"Beware. This specification is no longer in active maintenance and the Web Applications Working Group does not intent to maintain it further"

It goes on further to state, in a big red box:

"This document was on the W3C Recommendation track but specification work has stopped. The specification reached an impasse: all interested implementers have used the same SQL back-end (Sqlite), but we need multiple independent implementations to proceed along a standardization path."

The warning continues with "Implementers should be aware that this specification is not stable. Implementers who are not taking part in the discussions are likely to find the specification changing out from under them in incompatible ways..." no chance for a security problem here.

All hope for shoe-horning databases into web browsers is not lost, however, as there are still 2 active projects which will now receive (hopefully) the attention: Web Storage and Indexed Database API, the latter of which is endorsed by all browser vendors and receiving the bulk of the standards work now.

While I am clearly not a fan of shoving databases (even pretty ones like Sqlite) into our browsers I have to say at least this standards group was thinking about security.  But then again - the nuance is the wording. 

All interested implementers have the same SQL back-end but apparently not even browser is in that interested category. 

What irks me about this standards document going the way of the Dodo bird is that they actually made an attempt to confront security head-on for issues like SQL injection with the executeSql() method and strongly discouraging the construction of SQL queries "on the fly". 

So much for trying to be 'secure'.

So what really happened?  I have it on good authority that Mozilla and Microsoft just didn't want to go down the WebSQL route. So the two couldn't agree - I'm shocked. 

But the good news for developers who like to cram databases into our browsers is that the new "Indexed Database API" has the support of all the browser vendors... at least for now. 

Although I keep saying that things are most secure when they're simple the new specification is orders of magnitude more complex (more documentation, moving parts, bits) than the Web SQL Database which had security as a principle.

What could possibly go wrong, right?

Cross-posted fro Follow the White Rabbit

Possibly Related Articles:
14864
Webappsec->General
Browser Security Storage Web Application Security SQL API
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.