WebGL WEBGL_security_sensitive_resources Extension Draft Specification




WebGL working group (public_webgl 'at' khronos.org)


Max Vujovic (mvujovic 'at' adobe.com)

Members of the WebGL working group


Last modified date: September 13, 2013
Revision: 1


WebGL extension #23


Written against the WebGL API 1.0 specification.

Written against the EXT_frag_depth specification.

Written against the WEBGL_draw_buffers specification.

Written against the WEBGL_shared_resources specification.


In the WebGL API 1.0 specification, section 4.2 Origin Restrictions restricts the following sources for texture upload:

This extension allows these sources for texture uploads, with some restrictions regarding their uploading and use.


This extension enables the processing of cross-origin resources in WebGL. Additionally, it defines a foundation of concepts that can be used in future extensions to process other types of security sensitive content, including arbitrary HTML content.

For an example of security sensitive content, consider the rendering of an HTML link. The color of the link can indicate its visited or unvisited state. Third parties must not be able to access or infer this information.

Specifically, third parties must not be able read the pixel data of security sensitive content through WebGL or other APIs. Additionally, third parties must not be able to divulge or approximate the pixel data of security sensitive content by timing WebGL operations.

Prior to this extension, WebGL restricted the upload of security sensitive content as a texture for graphical processing. This extension enables the uploading and processing of security sensitive content, with some restrictions. Note that this extension imposes no restrictions on the processing of regular, non-security sensitive content.

To secure a user’s privacy, a WebGL implementation must not leak information about the contents of security sensitive textures through the execution time of its commands. To achieve this, no part of the underlying graphics pipeline may vary in execution time based on the contents of a security sensitive texture. For example, primitive assembly and depth testing must not vary based on the contents of a security sensitive texture.

The vertex shading and fragment shading stages of the graphics pipeline require particular restrictions to keep their execution time independent of the contents of security sensitive textures. Specifically, the contents of a security sensitive texture must only appear in constant-time GLSL operations. A constant-time GLSL operation is an operation whose execution time does not vary based on the values of its operands. This extension will describe how a WebGL implementation can enforce this requirement.

Additionally, this extension attempts to identify non-constant-time GLSL operations. All other GLSL operations are assumed to be constant time in both the WebGL implementation and the underlying GPU implementation. If this assumption is false on a particular implementation, then this extension must be disabled for that implementation. In the future, GPU vendors may be able to provide a mechanism to guarantee that the assumed GLSL operations are in fact constant-time.


This extension relies on the definition of several constructs in GLSL. These constructs are determined statically, after preprocessing.

Regular Sampler Variables and Secure Sampler Variables

S is a regular sampler if an expression dependent on S appears in one or more of the following constructs:

Otherwise, S is a secure sampler.

Sampler-Dependent Expressions

An expression is dependent on the sampler S if:

Sampler-Dependent Variables

A variable is dependent on the sampler S if:

A WebGL implementation can create a dependency graph in its GLSL compiler to implement these GLSL constructs. One closely related implementation is described in a wiki page.


When this extension is enabled:


interface WEBGL_security_sensitive_resources {
  WebGLFramebuffer? createSecuritySensitiveFramebuffer();
  WebGLTexture? createSecuritySensitiveTexture();

dictionary WebGLContextAttributes {
    GLboolean securitySensitiveDrawingBuffer = false;

New Functions

WebGLFramebuffer? createSecuritySensitiveFramebuffer()
Behaves like createFramebuffer, except framebuffers created with this function are referred to as security sensitive framebuffers. Framebuffers created with createFramebuffer are referred to as regular framebuffers.
WebGLTexture? createSecuritySensitiveTexture()
Behaves like createTexture, except textures created with this function are known as security sensitive textures. Textures created with createTexture are known as regular textures.


In summary, an author cannot:

The error INVALID_OPERATION is generated in the following situations:


Revision History

Revision 1, 2013/09/13