Hard Truths About HTML5

snydeq writes "Peter Wayner discusses a number of hard truths Web developers must accept in making the most of HTML5 — especially those who are looking to leverage HTML5 in hopes of unseating native apps. 'The truth is, despite its powerful capabilities, HTML5 isn't the solution for every problem. Its additional features are compelling and will help make Web apps formidable competitors for native apps, but security issues, limitations of local data storage, synchronization challenges, and politics should have us all scaling back our expectations for the spec.'"

On no. 1 & 3: Never trust the client

[mikael_j]

Seriously, how is this hard? Don't trust the client, store things like geolocation data and other such things server-side.

Sure, not everything can be stored server-side but something like coordinates can easily be stored server-side (preferably linked to your current session in case you are logged in from more than one location so posts from your cellphone don't show up as posts from your home and vice-versa).

Re:On no. 1 & 3: Never trust the client

Seriously, how is this hard? Don't trust the client, store things like geolocation data and other such things server-side.

You say that as if it's not creepy.

Re:On no. 1 & 3: Never trust the client

[moberry]

I try to work my web-apps in the MVC style -- or at least the "VC" style. The browser is the view, the only thing it gets sent is data to display. It is fairly simple to through a debugger up and see exactly how the server API works, but it's also fairly simple to ensure your API is only servicing valid requests and all data is being validdated/escaped/etc.

Nothing

[Whuffo]

Yes, I read TFA. It wasn't very illuminating; the author essentially says that since the client side can alter the transactions, HTML5 has security problems.

That's kind of stupid; whose security are we talking about here, anyway? Clearly not the end user - and I'll feel free to use various add-ons to alter the web pages I visit to improve my security and privacy

Can I have an "Ahmen!" or at least a "well duh!"?

[erroneus]

Despite the power and awesomeness that is the growing new web environment, the browser is the client and the application runs on the server.

Rich, exciting, thrilling and awesome experiences on the client side be damned, the server, the data and the application should never trust the client. I always thought this was a fundamental reality of the web that everyone knew. But recently, with all this version number craziness we have been seeing of Firefox lately, I have come to realize that there are a lot of lessons that have to be re-learned "the hard way" along the way.

Hard Lesson #1 (for Firefox), don't screw with your users or you won't have them long.

Hard Lesson #2, it's a "browser" and a "standards compliant browser" at that. This will mean it is very replaceable or interchangeable. Don't overestimate your worth to the user. Whatever it takes to see the truth, "the browser is not the thing" ; it's how you get to the thing.

Throughout computer history, we have seen patterns emerge. The computer is too over-loaded, so move computing outward to the desktop. The desktop is too overloaded, so move computing back to the server. The desktop and the server are too overloaded and the IT departments are too burdened and expensive, so move computing "to the cloud!" (aka, someone else's servers) All these changes over time indicate a behavior of aversion -- seeking to avoid a problem. That's all well and good, but it doesn't seem to address the problem on the merits of the situation and is certainly not accepting of reality. That reality is that the data and the services are "the things." There are costs associated with those things and they must be managed. But "the things" are the things and they must be valued and handled appropriately and all the things surrounding "the things" need to be held in perspective.

HTML numbering scheme

[dokc]

I'm going to wait for HTML 6.

You didn't hear? Numbering is "out".
It will be just HTML in the future and the version numbers will be hidden from average users.

Re:HTML numbering scheme

[Canazza]

They're not dropping numbers.

Mozilla just stole them.

Naivety

[localman]

"HTML5 isn't the solution for every problem."

And anyone who thought it was has not been programming for very long, or simply doesn't learn from history.

On the plus side, HTML5 should make some aspects of life a bit easier, and hopefully introduce only a small number of new challenges.

Cheers.

Holding off using it for other reasons

[Xest]

Frankly, the spec is a bit of a joke.

The semantic tags are out of date before the spec has even finalised, because it doesn't cover thing like comments tags which are prominent in todays sites, illustrating what a dumb decision it was to add a bunch of random semantic tags based on an arbitrary web survey carried out years ago. Semantics should be applied to classes just like styles are using a semantic definition language. This would of course have the advantage of allowing 3rd parties to produce semantic definition archives for no longer maintained sites etc. that browser could look up but well, there you go, that's what happens when people who apparently don't have even the slightest grasp of separation of concerns get their hands on something as fundamental as an HTML spec. It's like they didn't even realise why it's better to not have all your styles embedded in your document structure markup - i.e. your HTML and hence why CSS was developed the way it was.

Thus far it seems to have taken the web backwards in terms of compatibility, many of the new features work differently in different browsers, harking back to the days of HTML3/4 and Netscape/IE battles.

XML syntax seems discouraged which means you'll run into more people using the SGML syntax which seems to be pushed more than XML which makes the web more of a ballache to work with- no more of a push towards simple XSLT to trivially move data around and into and out of web displayable formats and instead a push away from that. I don't really care if it's served as XML or not, the point is that if it's not well formed XML it becomes a massive ballache to deal with, because XML tools and libraries are so prevalent.

The ethos surrounding HTML5 is that well, lots of old sites didn't follow newer standards, so lets make those web sites standard by taking everything they did shit, and making that standard. So great, yes, let's make shit, the standard. No, that's not how standards work- standards define a high quality that allows maximum compatibility which developers should strive to adhere to, if some don't then don't cater to them- just point out they're shit because they're not standards compliant.

Really, I don't think I'll touch it unless it gets to the point where you can't avoid it. I think I'll wait for a spec that's written by adults than a bunch of PHP kiddies who don't have the first clue about how to right good web software, and instead prefer to bung any old shit into the mix and call it a standard. Not to mention the drama about it being a living standard- good standards don't need to be living, good standards are generic and flexible enough to be future proof for a good number of years - you know, like, say, the XML spec.

It's not that I don't like some of the new features proposed in HTML5 like canvas etc., I think they're great ideas. It's just a shame the rest of it is just so painfully amateurish from a software development perspective. The net result is a spec that basically takes the web back to where it was 10 years ago- a messy inconsistent mess of arbitrary tags that needlessly duplicate functionality, causing annoying ambiguity with a dash of incompatibility chucked in to boot.

I'm hoping for a quick iteration to XHTML6, run by people who actually know what they're doing so we can just bypass the mess that is HTML5, but that's probably a bit much to hope for.

Re:Holding off using it for other reasons

[Xest]

"Another sad case of a XML brainwashed believer...."

Believer? that implies I merely believe XML is useful. No, sorry, many of us in the real world actually find XML useful. We develop large systems where XML helps no end. I'm sorry that you've never worked on a project where XML has come in useful, but some of us are competent enought o actually use the right tool for the job.

"XSLT, trivial? Have you ever tried doing anything useful with it?"

Yes thanks. We had an old black box system that we needed to integrate with a new web based system, it produced web pages that were thankfully at least XHTML1 compliant. Because we couldn't yet get rid of this system we were fortunately able to XSLT transform the output into useful data, and feed back inputs to it to transparently integrate it with the new system. If it had only adhered to HTML5's bastardised SGML syntax then it would've been a nightmare to integrate with this legacy system.

"XML/XHTML was written for the parsers. HTML5 was written for web developers. You may say the standard is "shit", the practices are "amateurish" (when benchmarked against what they teach you in the textbooks), but all that counts is what people are able to do with the stuff."

Right, and this is the problem. Too many developers haven't come from a professional background. They write code that would make old school C++ developers, and high end Java developers alike cry themselves to sleep at night. They managed to get a basic site working in PHP once, and have moved on from their, they don't understand what MVC or OOP is and don't see why they should because they never needed it so just carry on as normal. The problem is, they're also the ones who are responsible for sites that are always falling over, getting hacked, miserably hopeless in terms of scalability. Stuff isn't put into textbooks for a laugh, or to give you something to study, it's put in there base on experience, it's put in there so that you don't repeat the mistakes made by others before you - and there's the problem, too many web developers do repeat those mistakes time and time again, which is why things like SQL injection and XSS attacks are some of the most common to this day, despite solutions to them being long available and known, well, if you read the textbooks that is.

"Theoretical aesthetic purity is not an ends in itself. The "separation of concerns", "removal of arbitrary tags/duplicate functionality", "future proof" stuffs actually make the XML/XHTML spec more useless, harder to work with, and decreases productivity. You may marvel at its aesthetic beauty, but for people like us who actually need to do things on a schedule, those restrictions hinder our productivity when there's no way to opt out of it."

You are a terribly developer. Sorry, it needs to be said. You've basically admitted you're writing terrible code just to get something working. Your code is the type of code responsible for nightmarish maintainability, horrendous bugs and security exploits. Please, get the fuck out of the software development industry now. We don't need more bad software. I understand that in some places the constraints are such that speed of development and hence reduced cost is put well over and above quality but that's not the same everywhere. Please don't assume your complete lack of focus on quality is universal.

"For example, if people use bold text all the time, then why shouldn't we be able to bold-text? Why should we have to , or worse, write up a crazy "semantic" document and then add the XLST? Isn't that overkill?"

It depends. Sure it might take you an extra 5 minutes today, but that's 5 hours saved tommorrow when you have to come back and fix things. Separating off semantics means that for larger software teams you can even have people dedicated to looking after just that, so the developers can focus on developing, without getting in each other's way.

"The HTML spec people took 10 years to realize the mistake of going the XML way. It seems that you still

Re:Holding off using it for other reasons

[brunes69]

"XML/XHTML was written for the parsers. HTML5 was written for web developers"

You seem to be completely glossing over / forgetting the fact that in order for the "web developer"'s site to be farmed out, it needs to be served up by an engine, written by a software developer - one who has a metric crapton of libraries and tools all geared toward working with XML.

This is of course also completely glossing over the fact that there is basically no one in the industry anymore who is simply a "web developer". Try getting a job in a real workplace with nothing in your skillset but HTML and script, and you will be laughed out of the building. All companies want real software developers nowadays - and those developers appreciate well-formed syntax sets.

Re:Holding off using it for other reasons

[Xest]

I think there's a fair bit of mileage in what you've said.

Let's be honest the web wasn't designed for interactive applications and I think there's a fair question as to whether if that's what we want, then shouldn't we build a tool for just that rather than mangling HTML to try and do it, and do it badly?

It'll take a brave soul to define the next generation of web standards to replace HTML, something that's geared to proper interactive applications rather than mere content display as is the case with HTML. But I don't think you're far wrong in suggesting that that's the real, true solution to the problem. It'll be difficult if not only because it'd mean getting the browser manufacturers on board, and they couldn't even get the relatively trivial task of implementing proper XML display engines in place- something which you quite righly note, the likes of Microsoft with WPF, and many other such manufacturers have done with ease in their technologies.

Whether it's WPF or something else (probably something else, because I doubt people want a Microsoft technology becoming dominant on the web!), that sort of solution is certainly optimal.

Re:Holding off using it for other reasons

[jalefkowit]

XML/XHTML was written for the parsers. HTML5 was written for web developers.

I'm a web developer who was also a member of the W3C's HTML Working Group (the group where the HTML5 spec was hammered out) during the development of HTML5, and I can tell you that if you believe that HTML5 was written for web developers, you are wrong. HTML5 was written by and for browser vendors -- Google, Apple, Mozilla, Opera, and (somewhat) Microsoft. The opinions of other Web stakeholders were of minimal concern. Concerns about the spec raised in the WG by anyone who wasn't a browser implementer were routinely shouted down with threats to withdraw from the W3C process completely by those who were. Some who advanced concerns, like accessibility professionals, were actually derided in quite personal terms by representatives of the browser vendors, both in official WG communications and in their own private back channels (like IRC), which invariably leaked. (Here's a good writeup of some of the friction that existed in the WG between browser vendors and everybody else.)

There are a lot of things in HTML5 that I'm looking forward to being able to use, but if you're a web developer you shouldn't kid yourself into thinking that HTML5 was written for you. It wasn't. Almost every decision made in the development of HTML5 was made to make Google's life easier, not yours.

Re:"Software engineers" don't do web programming

[maxwell+demon]

Just wait until we get the ultimate XML programming language.

<statement>
  <assignment>
    <source>
      <sum>
        <term>
          <variable id="x" />
        </term>
        <term>
          <constant type="int" value="1" />
        </term>
      </sum>
    </source>
    <destination>
      <variable id="x" />
    </destination>
  </assignment>
</statement><!-- x=x+1 -->

Native Apps gone? Not in the next 10yrs at least

[geekpowa]

I've done extensive, years and years of programming in Native apps and I have done quite a few years in web apps too; using various stacks and languages.

The idea that the browser is going to replace a rich client any time soon is, in my view, a fools errand. I pity those who have thrown away perfectly good money over the past 10 years trying to make this happen. There are some success stories, like webmail and web-chat and various cloud services; but these things are comparatively simple animals in terms of their data/user complexity. Also there are alot failures which have cost alot of people money.

Browsers have slowly, very slowly eaten into rich client app space. But as soon as complexity of the application reaches a certain level, i.e. level of complexity you typically encounter in an accounting or stock control system, then cost to build the product becomes prohibitive and the UI suffers significant limitations.

Webapps are harder and more expensive and more time consuming to build, and the end result is typically a poorer UI experience. Imagine trying to write something like Gimp, or Open Office, or an accounting package as a web app as opposed to a rich client? Massively more complex. HTML/HTTP has come a long way, but it has to go alot further still if it is ever going to be beaten into a semblance of an architecture that is going to give the rich client application domain a run for its money.

I think it is inevitable a cloud architecture will emerge that kills the native rich app, but I am highly doubtful that HTML/HTTP will be powering that architecture.

The concept of browser is wrong.

[master_p]

Before modding me to oblivion, please hear what I have to say.

The whole concept of browser is wrong. Browsers are a good solution for serving static documents; it is not a good solution for delivering cross platform dynamic applications.

This article about HTML5 proves that no matter what functionality is hardcoded into the specifications, developers might need more or different functionality.

What is required for serving today's distributed world is a mechanism (a service) that does the following:

- lazy downloading of software components (data and code). Code and data are downloaded only when requested. The mechanism makes sure the code/data are cached locally, so as that if the network fails, the application is still usable.

The current technology fails at this because the downloaded software components can only be one of these:

a) Javascript, which comes with a lot of disadvantages (browser needs to have a Javascript interpreter/compiler, Javascript itself has lots of disadvantages etc).

b) a binary file that requires the installation and maintenance of an add on (flash, Java, etc), which in turn does its own maintenance, adding services to the core O/S etc.

All the above could be avoided with a unified component management mechanism.

- automatic versioning of components. Code components should be automatically versioned by the compiler, so as that the linker at the client side can request an updated component only if the available version is newer than the locally cached version. Downgrading would be automatic if the newer component's symbols do not match the symbols required by another component. The mechanism should keep the old versions of components around in case some component cannot work with the newest versions.

The current technology fails at this, because although the browsers check the version numbers of the add ons against the browser, user interaction is required for the acceptance of a solution (i.e. the users have to accept the new versions by clicking OK, meaning that they know if the new version is appropriate for them).

- both native and bytecode components. The component service should be available for native as well as bytecode components. The service will run a virtual machine, the definition of which should be a native component downloaded lazily and cached as described above.

The current technology fails at this, because it doesn't even have the concept of a component, let alone the concept of native or bytecode component. Browsers only know of addons and extensions, and each browser comes with its own addon and extension model.

- a binary (i.e. non-text) metadata protocol. All information exchanged over the network, including software components and data components, should be written in a unified metadata protocol. The protocol itself will not specify semantics, it will only specify structure. Think about this protocol as a binary version of JSON or XML.

The current technology fails at this, because all the used formats are text-based.

I know many people will disagree with the binary protocol and prefer a text protocol. The text protocol doesn't really offer any advantages over such a simple binary protocol. The main advantage of the binary protocol is speed, because of the much less data required to cross the wires compared to text. The main advantage of the text protocol is that the text buffers can be inspected as they are, but if the binary protocol is simple enough (as is JSON, for example), then very little work would be required to make a tool that displays the contents of a binary buffer.

Think about it this way: the cost of writing a tool that displays the above-described binary protocol's contents is extremely minimal when compared to the savings from using the binary protocol.

A unified communication language between computers is extremely necessary as the first basic step for inter-operation between computers: computers may not understand the semantics of the data, but at leas

Re:"Software engineers" don't do web programming

[Eivind]

that looks almost like coldfusion.

<cffunction name="add">
      <cfargument name = "x" type = "integer">
      <cfargument name= "y" type = "integer>
      <cfset var result = x + y>
      <cfreturn result
</cffunction>

I wish I was kidding. And yeah, I -do- know about cfscript.

Analyze the reasons!

[drolli]

>> HTML5 hard truth No. 1: Security is a nightmare The fundamental problem with client-side computing is that the user ultimately has control over the code running on the machine. In the case of Web apps, when your browser comes with a great debugging tool, this control is easier than ever to abuse.

Relying on the client not being able to understand the executed code is not even security by obscurity but even worse. Relying on client-side checks for consistent data (or even authorization - yes i have seen that) was stupid since the beginning of the web (and before).

Layer your spheres of access correctly, and there will be no bigger problem

> HTML5 hard truth No. 2: Local data storage is limited

Local storage is *always* limited. Relying on having near infinite local storage is something which also pisses me off for Desktop apps.

> HTML5 data storage capabilities are certainly an important addition, but you still can't move stored data to another machine, make copies, back it up, or open it with a different app. It's all buried deep where the browser hides it.

You is the user or the service provider? And *nobody* hinders you to implement also local backup mechanisms and free export of the data for the user. If you dont have the creativity or the knowledge to do so, then dont the fuck try to write a serious application. And if you back up you machine, your browser data is backed up with it.

> Nor can you dig into the files to see what is stored there. Sure, a programmer can take them apart, but only after studying the format and doing some hacking. They're not like spreadsheets or text documents that are easy to open with any editor, making the data less resourceful than it might otherwise be in a desktop app.

Wow. As if the average Desktop application would have completely open, understandable and easy to read data formats.....

>HTML5 hard truth No. 3: Local data can be manipulated

Uhm. did we talk about the server-side consistency check. And if its (according to the Truth Nr. 4) so much easier in the case of a pure desktop application to edit the data would that be not better in the sense of Truth Nr. 5?

> HTML5 hard truth No. 4: Offline apps are a nightmare to sync

Yes, always. Hasnt a single thing to do with HTML5

> HTML5 hard truth No. 5: The cloud owes you nothing It's not really fair to blame HTML5 for all of the structural problems with storing your data in the cloud, but the cloud is an essential part of the vision, which leverages the cloud to fix all of the headaches for installing software and backing up data.

The cloud is *not* an essential part of "the vision" of HTML5. It is a promising approach to deliver services cheap, HTML5 or not.

HTML5 hard truth No. 6: Forced upgrades aren't for everyone

Forced upgrades? We never had these before....

What is this. Sony forces updates to the PS. MS forces the installation of the WGA. Whe web-mail providers i use update senselessly all the time, since 10 years.

HTML5 hard truth No. 7: Web Workers offer no prioritization

A well written program relies on message passing and not polling. As a programmer i seldom had to prioritze threads withing an application.

HTML5 hard truth No. 8: Format incompatibilities abound

Yes, thats sad. The standard is still in the flow.

HTML5 hard truth No. 9: Implementations are browser-dependent

html has been browser-dependent since a long time, and so was java (not badly). Native applications are OS-dependent.

So what. An IT professional who thought that HTML5 would be the magic wand to overcome incompatibilities between environments with testing would have been stupid.

HTML5 hard truth No. 10: Hardware idiosyncracies bring new challenges

Funny. What you want to say: make a 3d game and it wont run as well on a handheld device without acceleration? Yes, that has been pretty much my experience the last 20 years.

HTML5 hard truth No. 11: Politics as usual

Honestly? An HTML5 only problem? Well....