On Wed, Dec 7, 2011 at 7:23 PM, Vincent Hardy <[email protected]> wrote: > @chris > >>> So I take back my statement that CSS Shaders are less dangerous than >>> WebGL. They are more!!! > > It seems to me that the differences are: > > a. It is easier to do the timing portion of a timing attack in WebGL because > it all happens in a script and the timing is precise. With CSS shaders, the > timing is pretty coarse. > > b. The content that a CSS shader has access to may be more sensitive than > the content a WebGL shader has access to because currently, WebGL cannot > render HTML (but isn't it possible to render an SVG with a foreignObject > containing HTML into a 2D canvas, and then use that as a texture? In that > case, wouldn't the risk be the same? Or is the canvas tainted in that case > and cannot be used as a texture?).
Bear in mind that these security problems have been addressed in WebGL. WebGL no long suffers from these vulnerabilities. > @charles > >>> Can this proposal be moved forward on CORS + >>> HTMLMediaElement, HTMLImageElement and HTMLCanvasElement? > > At the last FX meeting, I got an action to sync. up with the CORS group and > discuss how CORS would apply to CSS shaders. It's very unclear to me how CORS can help in this situation. Can you explain what you have in mind? Adam _______________________________________________ webkit-dev mailing list [email protected] http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
