W3C Buries "Web SQL Database Standard"

I have to admit I didn't see this coming... it seems they've reached an impasse.


The W3C page on "Web SQL Database" (defined as "...an API for storing data in databases that can be queried using a variant of SQL." reads like this:


"Beware.  This specification is no longer in active maintenance and the Web Applications Working Group does not intent to maintain it further"


It goes on further to state, in a big red box:


"This document was on the W3C Recommendation track but specification work has stopped. The specification reached an impasse: all interested implementers have used the same SQL backend (Sqlite), but we need multiple independent implementations to proceed along a standardization path."


The warning continues with "Implementers should be aware that this specification is not stable. Implementers who are not taking part in the discussions are likely to find the specification changing out from under them in incompatible ways" ... no chance for a security problem here.


All hope for shoe-horning databases into web browsers is not lost, however, as there are still 2 active projects which will now receive (hopefully) the attention: Web Storage and Indexed Database API, the latter of which is endorsed by all browser vendors and receiving the bulk of the standards work now.


While I am clearly not a fan of shoving databases (even pretty ones like Sqlite) into our browsers I have to say at least this standards group was thinking about security.  But then again - the nuance is the wording.  All interested implementers have the same SQL back-end but apparently not even browser is in that interested category.  What irks me about this standards document going the way of the Dodo bird is that they actually made an attempt to confront security head-on for issues like SQL injection with the executeSql() method and strongly discouraging the construction of SQL queries "on the fly".  So much for trying to be 'secure'.


 So what really happened?  I have it on good authority that Mozilla and Microsoft just didn't want to go down the WebSQL route.  So the two couldn't agree - I'm shocked.  But the good news for developers who like to cram databases into our browsers is that the new "Indexed Database API" has the support of all the browser vendors ...at least for now.  Although I keep saying that things are most secure when they're simple the new specification is orders of magnitude more complex (more documentation, moving parts, bits) than the Web SQL Database which had security as a principle.


What could possibly go wrong, right?

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About the Author

Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation