Putting the HTML5 genie back in the bottle in the name of web security?
There's a lot of wisdom in what Crockford continues to say about HTML5 and web security:
The HTML5 proposal does not attempt to correct the XSS problem and actually makes it worse... The fundamental mistake in HTML5 was one of prioritization. It should have tackled the browser's most important problem first. Once the platform was secured, then shiny new features could be carefully added.It makes a lot of sense in theory, but I doubted the practicality of it in a Dec 2008 item:
HTML5 has a lot of momentum and appears to be doomed to succeed.
I think the wiser course is to get it right first. We have learned the hard way that once an error gets into a web standard, it is really hard to get it out.