

Ask HN: What are the biggest limitations of HTML5? - chrisringrose

Ubuntu's and Firefox's mobile OS'es are coming soon, and Google's Chrome OS is on the rise (the Chromebook was Amazon's #1 selling laptop). It seems like we should start taking "web apps", or whatever you want to call them, more seriously.<p>BUT, there are undeniably some serious limitations. I think it's time we start openly discussing these problems, and how they can be addressed.
======
itsprofitbaron
Here are some of the biggest challenges HTML5 faces:

\- Security e.g. users shouldn't trust a client based HTML5 with any serious
data collection.

\- Local Data - Storage is limited & it can be manipulated

\- Syncing offline apps - Determining which is the latest version etc

\- If the browser vendors won't implement something, it won't get implemented.
This has also lead to

\- Format Incompatibilities e.g. try audio/video tags across the major
browsers

~~~
chrisringrose
_Security e.g. users shouldn't trust a client based HTML5 with any serious
data collection._

\- I'm not sure why you say that. I do online banking all the time. It is
possible to code something secure and tight, but I'll admit it's not easy. I
think security will always be an issue, even with native apps.

 _Local Data - Storage is limited & it can be manipulated_

\- True, storage needs to be unlimited. As for manipulating it, this is also
true of native apps. Without jailbreaking, I can manipulate a save file for
almost any iPhone game. The security issue (again) depends on the developer,
and how they protect the data.

 _Syncing offline apps - Determining which is the latest version etc_

\- Yup, that's a challenge too. But also a challenge native apps face. When I
make a note on an offline iPhone in the notes app, and then edit the same note
on my Mac, it creates a duplicate when the iPhone is back online. It should
probably be up to the developer how to handle this, whether the app is native
or HTML5.

 _If the browser vendors won't implement something, it won't get implemented.
This has also lead to_

\- Yes, this I think is one of the biggest challenges. People buy a computer,
it comes with a browser default, and they never change or update it. It's hard
enough to get the W3C to add new features, let alone browsers to implement
them, and even harder still to get users to update their browsers.

 _Format Incompatibilities e.g. try audio/video tags across the major
browsers_

\- Yup, similar issue.

~~~
itsprofitbaron
Regarding your Security point, the fundamental problem with HTML5 and the way
online banks use their security is that with HTML5 ultimately the user has
control over the code which is running on their machine. Browsers come with
decent debugging tools making it easier to abuse (and there are even better
ones as plugins).

Using the browsers debugger (or your one of choice) you can simply go to a
website running on HTML5 and insert a few breakpoints and watch what happens.
All someone would have to do is edit the variable(s) which hold the data to
anything they'd desire.

You can argue there are limits to these potential exploitations but some of
the tools are as complicated as the complier itself - and when companies are
trying to push out a feature as quickly as possible, security issues are often
overlooked. For example have a look (if you haven't already) at
<http://plaintextoffenders.com/> which shows websites which store passwords in
plain text. Sure my example relates to a different issue but if websites are
prepared to store passwords in plain text then inevitably, they will overlook
other potential security issues.

When money is involved, any minor potential exploitation is taken advantage to
the fullest extent. Hence I still believe HTML5 apps shouldn't be trusted with
any serious data collection.

------
RRRA
I'm no expert (yet?) but my understanding is that unless you are in a web-app
(in the OS sense, ie: not in a browser strictly speaking) you loose access to
features like real sockets and such. WebRTC looks awesome but the fact that we
still can't built a true P2P system in HTML5 is a big failure from my point of
view... Still, I think this is the way to go for now, not strictly of
course... :)

~~~
chrisringrose
Interesting idea. So instead of browsers forcing everything over HTTP(s),
allow all kinds of transmission?

------
fatalerrorx3
"Real sockets" you mean you don't count web sockets as real sockets? I think
it will get there, eventually, just needs more time. Browsers have evolved a
lot over the years, but it all comes down to the fact that the organizations
in charge of creating the standards (W3C) move a little too slow.

~~~
chrisringrose
True, which is another problem web apps face - waiting for the W3C to adopt
something new. Native apps run on OSes that change several times a year,
introducing new features. New HTML5 features seem to take two years - and
worse still, every user must update their browser to get them.

------
dotborg
Biggest limitations of HTML5:

\- security causes a lot of limits for users and developers

\- unhealthy competition between browser vendors, example:
WebGL@InternetExplorer

\- its limited to 3 languages: HTML, CSS, JS (and its derivatives)

~~~
chrisringrose
_security causes a lot of limits for users and developers_ \- Security will
probably always be an issue, even with native apps. Anything specific you
think could be changed to make web apps safer?

 _unhealthy competition between browser vendors, example:
WebGL@InternetExplorer_ \- Agreed. Especially when one browser stays from
what's supposed to be "standard", yet rarely is.

 _its limited to 3 languages: HTML, CSS, JS (and its derivatives)_ \- Agreed.
Google's working on a compiled web language, but it will only work in chrome.
They're attempting to make it a standard, but I'm not sure if any other
browsers would put the effort into supporting it. And a whole new system like
this would take years to implement. But still possible....

