[Public WebGL] Webgl

Mark Callow [email protected]
Wed May 11 20:50:18 PDT 2011


On 12/05/2011 11:37, Glenn Maynard wrote:
> On Wed, May 11, 2011 at 10:22 PM, Mark Callow
> <[email protected] <mailto:[email protected]>> wrote:
>
>     My view, which is shared by many others, is that while such apps
>     could give WebGL a bad name, they are not a security threat and
>     not even a particularly serious problem. If some site/WebGL app
>     causes your system to crash or be unresponsive, you won't go there
>     again. Problem solved.
>
> I agree it's not equivalent to a security threat, but I strongly
> disagree that it's not a serious problem if it happens.  No site
> should ever be able to crash my browser, much less my system; any bugs
> that allow this to happen are very serious.  Fortunately, from what
> I've seen, vendors aren't dismissing this so casually.
I am not dismissing it casually. The graphics implementations definitely
need to become more robust. If it does happen, it is for sure an
unpleasant experience but it is one you can easily avoid repeating.
>
>     As for cross-domain image stealing, the WG is currently discussing
>     this issue. The ability to incorporate cross-domain images into
>     WebGL scenes provides great utility to developers, so the WG is
>     considering requiring Cross Origin Resource Sharing (CORS) opt-in
>     or other mechanisms to prevent abuse of this capability.
>
> The cross-domain issue Benoit is referring to is different.  Browsers
> already prevent reading images cross-domain directly; the issue here
> is that you can get around that with timing attacks, which is much
> harder to prevent.  (I agree that CORS or similar is critical.)
It is the same issue. One solution is to forbid the use of cross-domain
images as textures; another is CORS.

Regards

    -Mark

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://khronos.org/pipermail/public_webgl_khronos.org/attachments/20110512/cc34990b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: callow_mark.vcf
Type: text/x-vcard
Size: 412 bytes
Desc: not available
URL: <http://khronos.org/pipermail/public_webgl_khronos.org/attachments/20110512/cc34990b/attachment.vcf>


More information about the public_webgl mailing list