[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] Proposed change to WebGL spec section 4.2 (Security Origin Restrictions)




----- Original Message -----

> > Because we have to. Origin restrictions are not something we can elide
> > just because we think they are not "necessary". Security is of prime
> > importance to many people. The news that your browser didn't respect
> > origin restrictions would cause some companies to block the use of your
> > browser on their site. This is a fact we have to live with.
> 
> I entirely agree...but we just have to realize that we're not ever going
> to make it 100% safe-by-design.

Sure we can -- if we need to, we can specify that all textures and input used by a webgl context have to be explicitly be same-origin or allow access via CORS, otherwise you can't use the resource at all.  I don't want to relax origin restrictions in the webgl spec, but we may need to -tighten- them for security reasons.  People have made really good arguments as to why we may need to do so.

    - Vlad
-----------------------------------------------------------
You are currently subscribed to public_webgl@khronos.org.
To unsubscribe, send an email to majordomo@khronos.org with
the following command in the body of your email: