A few weeks ago, Google became aware of a security issue with WebGL: shaders could be used to indirectly deduce the contents of textures uploaded to the GPU. As a result, Chrome 13 (and Firefox 5) will no longer allow cross-domain media as a WebGL texture. The default behavior will be a DOM_SECURITY_ERR. However, applications may still utilize images and videos from another domain with the cooperation of the server hosting the media, otherwise known as CORS.
Dr. Jon Peddie from Jon Peddie Research has tried to make sense of the recent WebGL security issues raised by various companies. He writes "If we can never expose any graphics drivers to the web - we can never have ANY GPU graphics in the browser - and that’s not going to happen." Jon Peddie was recently named one of the most influential industry analysts, who is frequently quoted in trade and business publications, and contributes articles to numerous publications as well as appearing on CNN and TechTV.
Whether you were at WebGL Camp #3 or you missed it, now is your chance to watch all the speakers online.
Avi Bar-Zeev, a Principal Architect at Microsoft, was disappointed by recent Microsoft headlines parroted from a recent security scare report. He writes "Is WebGL actually harming your computer in any way? I doubt that’s a serious or credible claim. And, frankly, if Microsoft has taken a formal position against WebGL, no one I know got the memo." Avi goes on to express his thoughts on the pro's and cons of Microsoft supporting WebGL vs running away from it. If you have only 5 minutes to read something today, make it this well thought out article on the future of WebGL and your 3D user experience. Avi's article ends with "There is clearly only one direction forward for Microsoft and 3D on the web. WebGL is the way."
WebGL Camp #3 is just around the corner. This Friday, June 10th at 8:30AM, WebGL Camp #3 will start. There is an impressive line-up of speakers at 1300 Crittenden Lane, Mountain View, CA, a Google Campus. Included in the roster are Tony Parisi--co inventor of VRML, Opera, Screampoint, Google, Katalabs, and Neil Trevett--president of The Khronos Group, plus many more. Registration is open and free.
Patrick Cozzi and Christophe Riccio invite you to contribute to OpenGL Insights, a book containing original articles on OpenGL, OpenGL ES, and WebGL techniques by the OpenGL community and for the OpenGL community: from game programmers to web developers to researchers. OpenGL Insights will be published by A K Peters Ltd. / CRC Press in time for SIGGRAPH 2012. Given the wide array of OpenGL platforms, from Mac desktops to Android phones to web browsers, we invite you to submit article proposals on all aspects of OpenGL development, including performance tuning, recent GL features/extensions, application architecture, vendor-specific techniques, WebGL, and interoperability with other APIs. We are interested in proposals based on your unique real-world experience using OpenGL.
Mirada and Chris Milk have teamed up to create an ambitious transmedia interactive music video experience called "3 Dreams of Black" for Danger Mouse and composer Daniele Luppi's Spaghetti Western-inspired concept album ROME featuring Jack White and Norah Jones. "'3 Dreams of Black' has made it clear that WebGL brings a lot of possibilities, but at the same time requires a level of technical knowledge that just a few studios have," said Ricardo Cabello, Lead Data Arts Developer, Google Creative Lab. You can watch a preview on YouTube.
Gregg Tavares discusses WebGL techniques and performance at Google I/O 2011. Whether a seasoned pro, or a WebGL noob, this fast paced presentation is worth your time to watch.
WebGL pays strong attention to security - just as any web technology should. With growing recognition of WebGL in the press, we thought we would summarize Khronos' work and stance on this important topic.
- Khronos agrees that security is a vitally important consideration for any web standard. WebGL was architected with security in mind from the ground up.
- All WebGL implementations already necessarily contain safeguards which prevent out-of-range memory accesses during rendering operations and access of uninitialized memory; please see here and here. These safeguards are tested by the WebGL conformance suite.
- Defense against denial of service attacks is still evolving in WebGL implementations. Khronos has specified an extension to OpenGL and OpenGL ES, GL_ARB_robustness, designed to prevent denial of service and out-of-range memory access attacks from WebGL content, preventing any possibility of using WebGL to execute malware on a user's machine.
- GL_ARB_robustness has already been deployed by some GPU vendors and Khronos expects it to be deployed rapidly by others. Browsers can check for the presence of this extension before enabling WebGL content. This is likely to become the deployment mode for WebGL in the near future.
- The ability to incorporate cross-domain images into WebGL scenes provides great utility to developers, but the WebGL working group is considering requiring Cross Origin Resource Sharing (CORS) opt-in or other mechanisms to prevent possible future abuse of this capability.
- The WebGL working group has been working closely with the GPU vendors in the Khronos group to make accelerated WebGL implementations secure and WebGL is influencing GPUs to provide even more flexible security options in the future.
- There are no known WebGL exploits and Khronos will continue to place close attention to technical and ecosystem opportunities to ensure WebGL is a secure technology that can be used with confidence.
Updated May 16 2011