[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] Spec update for cross-origin restrictions in WebGL

Nice work, all. I hope that satisfies the image-related security concerns bouncing around the net;


On Thu, Jun 2, 2011 at 3:31 PM, Kenneth Russell <kbr@google.com> wrote:

The editor's draft of the WebGL specification has been updated to
strengthen the restrictions on the use of cross-domain images and
video. These changes were necessary to prevent certain kinds of
security attacks in which the contents of images from other domains
could be extracted.

Thanks to the existence of the CORS specification and quick work by
HTML spec editor Ian Hickson and the WHATWG, WebGL applications
utilizing cross-domain media still have an avenue to continue to do
so. The necessary code changes to such applications are tiny
(generally one line), and image and video hosting services are
beginning to roll out support for the new functionality.

Please review the changes to the following sections of the specification:

http://www.khronos.org/registry/webgl/specs/latest/#4.2 (Origin Restrictions)
(SECURITY_ERR clause added to texImage2D and texSubImage2D
(addition of raises(DOMException) to certain overloads of texImage2D
and texSubImage2D)


You are currently subscribed to public_webgl@khronos.org.
To unsubscribe, send an email to majordomo@khronos.org with
the following command in the body of your email:
unsubscribe public_webgl

Tony Parisi                             tparisi@gmail.com
CTO at Large                         415.902.8002
Skype                                     auradeluxe
Follow me on Twitter!             http://twitter.com/auradeluxe