[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] CORS and resource provider awareness



At the time the changes were made to the WebGL specification to
disallow access to cross-origin resources for security reasons, the
Picasa team at Google was most helpful in adding support for anonymous
CORS requests for those pictures which are publicly accessible on the
web.

I would encourage you and others to do a persistent writeup of the
issues (on a blog? on the WebGL wiki? If you want to do the latter and
run into any problems, let me know) and directly contact the resource
providers you care about.

One slight gotcha is that due to limitations in browsers' caches, it's
essential that the provider watch for cookie-less requests where the
"Origin:" header is set, and set the header
"Access-Control-Allow-Origin: *" in response. If they set the "Vary:
Origin" response header, then most browsers won't cache the result.
This was discovered during the work with the Picasa team.

Essentially, anonymous CORS requests are all we know how to make work
right now -- but hopefully getting them well supported will still
enable many interesting kinds of WebGL applications. It is *not* safe
for the resource provider just to set the
"Access-Control-Allow-Origin: *" header all the time -- they need to
be aware of the security consequences. Access-controlled resources
must *not* have this header set.

Separately, the WebGL community should collectively pursue the idea of
checking whether shaders obey the timing restrictions being defined by
the CSS shaders specification. If that works, then WebGL applications
would once again be able to safely access cross-domain media.

-Ken


On Tue, Oct 30, 2012 at 10:26 AM, Florian Bösch <pyalot@gmail.com> wrote:
>
> I'm recently hitting a problem a lot that shouldn't exist. This is
> about using cross origin images/videos in WebGL. And I'd like
> everybody to be aware that 1) there are nasty restrictions that
> "evolved" and that 2) most resource providers are oblivious to the
> issue and if perhaps we can rise awareness it would help.
>
> A short and probably inaccurate history of cross origin history:
> 1) canvas and webgl came along, everything was fine, we could get images.
> 2) Somebody decided that presented a security issue and vendors
> implemented canvas/webgl/image tainting, things where fine, most
> legitimate uses wouldn't try to send the image data around.
> 3) CORS came along and everybody rejoiced, finally a way to share
> those resources and mark the ones that are not security sensitive
> 4) Vendors seeing CORS decide that it's now legitimate to drop the old
> tainting model and just flatly prohibit cross origin access to
> resources if the CORS headers are not set.
>
> What's broken? Most providers after step #4 of resources are oblivious
> that suddenly resources they intended to be embeddable/sharable are
> now no longer fully accessible to canvas, and not accessible at all to
> WebGL.
>
> How to solve it (not): get rid of CORS and cross origin restrictions.
> No really, I would prefer this, but it's not gonna happen.
> How to solve it (really now): Providers of resources *have* to be
> aware that they have to set cross origin headers now and implement
> CORS. There's no way around it. Please, please do it. It sucks if you
> don't.
>
> Recent example: google static maps
> Other examples: everything everywhere
>
> TL;DR
> Please set CORS headers, your're killing baby seals.
>
> Thanks
>
> -----------------------------------------------------------
> You are currently subscribed to public_webgl@khronos.org.
> To unsubscribe, send an email to majordomo@khronos.org with
> the following command in the body of your email:
> unsubscribe public_webgl
> -----------------------------------------------------------
>

-----------------------------------------------------------
You are currently subscribed to public_webgl@khronos.org.
To unsubscribe, send an email to majordomo@khronos.org with
the following command in the body of your email:
unsubscribe public_webgl
-----------------------------------------------------------