WebGL pays strong attention to security - just as any web technology should. With growing recognition of WebGL in the press, we thought we would summarize Khronos' work and stance on this important topic.
- Khronos agrees that security is a vitally important consideration for any web standard. WebGL was architected with security in mind from the ground up.
- All WebGL implementations already necessarily contain safeguards which prevent out-of-range memory accesses during rendering operations and access of uninitialized memory; please see here and here. These safeguards are tested by the WebGL conformance suite.
- Defense against denial of service attacks is still evolving in WebGL implementations. Khronos has specified an extension to OpenGL and OpenGL ES, GL_ARB_robustness, designed to prevent denial of service and out-of-range memory access attacks from WebGL content, preventing any possibility of using WebGL to execute malware on a user's machine.
- GL_ARB_robustness has already been deployed by some GPU vendors and Khronos expects it to be deployed rapidly by others. Browsers can check for the presence of this extension before enabling WebGL content. This is likely to become the deployment mode for WebGL in the near future.
- The ability to incorporate cross-domain images into WebGL scenes provides great utility to developers, but the WebGL working group is considering requiring Cross Origin Resource Sharing (CORS) opt-in or other mechanisms to prevent possible future abuse of this capability.
- The WebGL working group has been working closely with the GPU vendors in the Khronos group to make accelerated WebGL implementations secure and WebGL is influencing GPUs to provide even more flexible security options in the future.
- There are no known WebGL exploits and Khronos will continue to place close attention to technical and ecosystem opportunities to ensure WebGL is a secure technology that can be used with confidence.
Updated May 16 2011