Google Blink Leaves Open Source WebKit Behind - Will Security Suffer?
From the 'open source fork' files:
Google is moving away from WebKit. Google is now going its own way with a new rendering engine called - Blink
Shocking isn't it?
The announcement just went live and I still find it somewhat unbelievable that Google is forking away from the WebKit community which enabled it to create Chrome/Chromium and Chrome OS.
But regular open source that others use has never been good enough for Google, they have their own 'itch' and requirements. Google 'improved' Linux with wakelocks in Android, databases with Big Table and MapR etc etc. Now Google is going to 'improve' the web by leaving WebKit behind.
"Chromium uses a different multi-process architecture than other WebKit-based browsers, and supporting multiple architectures over the years has led to increasing complexity for both the WebKit and Chromium projects," Adam Barth, Software Engineer at Google blogged. " This has slowed down the collective pace of innovation - so today, we are introducing Blink, a new open source rendering engine based on WebKit."
Google has pledged to make the transition not too painful for web developers and they are running the effort as an open source project too.
According to Google's Blink page on Chromium, with Blink, large-scale architectural changes to the code can be made , without having to worry about breaking other consumers of WebKit.
"One change we’re planning is adding “out-of-process iframes”. These allow Chromium to separate individual parts of a page into separate sandboxed processes.... Another example is how we’d like to fix our networking code to be faster and simpler. Our current networking code in WebKit is limited by old Mac WebKit API obligations which cannot be changed.
All of this sounds good to me for Google and its direct line of users that benefit from Chromium via the Chrome Browser and Chrome OS.
But what about security for WebKit?
Google has been an AMAZING steward of WebKit security fixing more flaws than anyone else in recent years. With the shift to Blink, I suspect that flow will slow down, as architectural changes take hold.
Google plans on improving memory hardening in Blink and will be making some memory safety changes. This is a good thing for Blink, but not so good Apple Safari. Look through any recent Apple Safari update and you'll a dozen or more WebKit use-after-free memory errors found by Google. What will Apple do in the Blink era?
Overall, innovation is all about moving forward and not being always tied to the inertia of legacy deployments. It will be interesting to see what happens to WebKit in the year ahead and whether it continues to grow on its own, or if developers and browser vendors instead all choose to embrace a new model instead.