[Public WebGL] Webgl

Mark Callow [email protected]
Wed May 11 19:22:39 PDT 2011

An excessive majority of the article is about what Context terms 
"denial of service" attacks by which they mean it is fairly easy for a
webgl app. to make a system unresponsive or even crash (due to shader
execution taking a long time and lack of robustness in the graphics
driver).  These things have been talked about exhaustively on both this
list and in the WG and are being addressed by ARB_robustness extensions
being added to the graphics drivers.

My view, which is shared by many others, is that while such apps could
give WebGL a bad name, they are not a security threat and not even a
particularly serious problem. If some site/WebGL app causes your system
to crash or be unresponsive, you won't go there again. Problem solved.

As for cross-domain image stealing, the WG is currently discussing this
issue. The ability to incorporate cross-domain images into WebGL scenes
provides great utility to developers, so the WG is considering requiring
Cross Origin Resource Sharing (CORS) opt-in or other mechanisms to
prevent abuse of this capability.



On 12/05/2011 02:04, Benoit Jacob wrote:
> The only real exploit at this point is the cross-domain image stealer
>   http://www.contextis.co.uk/resources/blog/webgl/poc/index.html
> I'm working on it (speaking only for Mozilla).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://khronos.org/pipermail/public_webgl_khronos.org/attachments/20110512/e70a22f6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: callow_mark.vcf
Type: text/x-vcard
Size: 412 bytes
Desc: not available
URL: <http://khronos.org/pipermail/public_webgl_khronos.org/attachments/20110512/e70a22f6/attachment.vcf>

More information about the public_webgl mailing list