[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] Proposed change to WebGL spec section 4.2 (Security Origin Restrictions)

I disagree for two reasons:

1. Fine grained origin tracking is much less useful for 2d canvas because:
  a) 2d canvas holds a lot less state than 3d canvas, making it a lot easier and less disruptive to simply draw to a second canvas without the other-origin data.
  b) 2d canvas doesn't have very complex transformations so it is likely that the _javascript_ could just as easily do calculation on the geometry to determine click locations.
  c) 2d canvas already has some support for detecting what object a given pixel is part of.
2. Even if the canvas spec is changed to add support, the rules Gregg listed would still have to be in the WebGL spec just like section 4.2 currently clarifies how the origin-clean flag is affected by WebGL. The implementations and design are completely different and the only similarity is that they do the same basic thing. I don't see how the 2d canvas spec having or not having this functionality would change the WebGL spec with regard to this functionality.

I'm not arguing that it shouldn't be added to the 2d canvas spec, just that they are orthogonal. I think it's far less useful in 2d canvas and will be met with more resistance because of this, but I have no complaint if people want to argue for it. I just don't think it should be ignored in the WebGL spec as something to deal with only after it gets added to the canvas spec.


On Tue, Oct 5, 2010 at 7:38 AM, Gregg Tavares (wrk) <gman@google.com> wrote:

On Tue, Oct 5, 2010 at 12:22 AM, Vladimir Vukicevic <vladimir@mozilla.com> wrote:

----- Original Message -----

> Does CORS like stuff apply to images so a server can declare
> images from it are usable by any domain?

CORS does/can, though I don't know if any browser interprets it correctly that way.  I have no idea what we do in Firefox; we have a generic same-origin checking path for two resources, so it's possible that it might "just work".

I'd really like to get finer-grained same origin control in canvas, but I don't think doing it in webgl/webgl spec is the right place to do it.  You can make the same argument for canvas 2d (e.g. clearing the canvas should result in it being origin clean again, but it doesn't).  So while I'm in favor of the functionality, I don't think we should look at doing anything webgl-specific to get it for now.

Agreed. There wouldn't be anything WebGL specific. The proposal related to CORS is that stuff a server says is okay to use does not mark a canvas as non origin clean and similarly would not taint WebGL textures. Should probably discuss that part on the whatwg list or something.


   - Vlad