[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Public WebGL] Extension proposal: WEBGL_security_sensitive_resources
While I like the idea of being able to use a rendered html element as a texture; I'm not completely sure I understand the extension's intent or the lock-down and security issues that be involved.
As I understand it, it deals with direct resources (image, video) and suggests composite resources (html)
There a five classes of direct resource:
- Own domain resources - no issue
- Cross-domain images or video - can already be used with the appropriate http headers; and this works well, otherwise there would be a big problem trying to use a cdn for anything.
- Local resources - can also be used if the user uploads or dragdrops, or via getUserMedia for cameras.
- Domain accessible resources without cors headers; which are accessible by your domain, either public or with auth, so don't present a restricted resource security risk, - can be proxied either same-domain or with cors headers attached.
- Restricted resources - can only be accessed with appropriate authentication; note if these resource have the appropriate cors headers, and the domain they are used on is valid by the headers they are type 2; if your domain has access to them (server-side) they are type 4.
So for direct resources it would only be type 5 (when its not 2 or 4) that this extension would be the only workaround?
For composite resources; html based, there are three main categories:
- Texture resources - as above, but with the inclusion of object, iframe etc
- Personal - like whether a link has been visited
- Category 2: Could work within the cross-domain framework and the origin-clean flag; but you probably shouldn't be taking images of a users' LOB flash, silverlight, or an iframe with their PayPal or bank statement.
- Category 3: should never be exposed outside the appropriate security context (e.g. a browser extension/plugin explicitly for managing your history etc)
I'd very much welcome an html render to texture or use html element as texture source; but think it could be done with looser security restrictions; and caveats for example:
:visited always rendered as :link , if they do not evaluate to the same style there may be a performance impact as any pre-rendered html for display cannot be re-used. Optimising for whether :visited links are in view may allow timing attacks.
Equally I'm not sure I understand the use-cases for allowing relaxed security on type 5 resources (where they are not 2 or 4)?