[Public WebGL] Webgl

Glenn Maynard [email protected]
Wed May 11 19:37:11 PDT 2011


On Wed, May 11, 2011 at 10:22 PM, Mark Callow <[email protected]>wrote:

>   My view, which is shared by many others, is that while such apps could
> give WebGL a bad name, they are not a security threat and not even a
> particularly serious problem. If some site/WebGL app causes your system to
> crash or be unresponsive, you won't go there again. Problem solved.
>
I agree it's not equivalent to a security threat, but I strongly disagree
that it's not a serious problem if it happens.  No site should ever be able
to crash my browser, much less my system; any bugs that allow this to happen
are very serious.  Fortunately, from what I've seen, vendors aren't
dismissing this so casually.

>  As for cross-domain image stealing, the WG is currently discussing this
> issue. The ability to incorporate cross-domain images into WebGL scenes
> provides great utility to developers, so the WG is considering requiring
> Cross Origin Resource Sharing (CORS) opt-in or other mechanisms to prevent
> abuse of this capability.
>
The cross-domain issue Benoit is referring to is different.  Browsers
already prevent reading images cross-domain directly; the issue here is that
you can get around that with timing attacks, which is much harder to
prevent.  (I agree that CORS or similar is critical.)

-- 
Glenn Maynard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://khronos.org/pipermail/public_webgl_khronos.org/attachments/20110511/af2cabcc/attachment.html>


More information about the public_webgl mailing list