Linked by David Adams on Tue 21st Jun 2011 15:36 UTC, submitted by fran
3D News, GL, DirectX "Mozilla's VP of Technical Strategy, Mike Shaver has rejected Microsoft's criticism of WebGL in which it said it would not implement the 3D graphics standard because of security issues in the design. Shaver says that "there is no question that the web needs 3D capabilities" to enable developers to create "advanced visualisations, games or new user interfaces" and points at Molehill (Adobe's 3D for Flash) and Microsoft's Silverlight 3D which are offering just those capabilities." One discussion of Microsofts WebGL criticism can be found here.
Thread beginning with comment 478048
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Read for comprehension...
by panzi on Tue 21st Jun 2011 21:39 UTC in reply to "Read for comprehension..."
panzi
Member since:
2006-01-22

I don't know anything about WebGL, but shouldn't it be possibly to write a code verifyer that checks the shader source if it possible makes insecure operations? Yes, this would only allow a subset of what is otherwise legal GLSL, but shouldn't that subset it be enough (I don't know; I ask you)? And this could do the Browser before it sends it to the graphics card. If Google can do that with NaCl why not Mozilla/Google/Microsoft/... with WebGL?

Reply Parent Score: 3

lucas_maximus Member since:
2009-08-18

From the second article ...

The engineers do suggest that there might be ways to prevent against such attacks (like how a web browser is hardened by sandboxing and DEP systems), but still, "the large attack surface exposed by WebGL remains a concern."


And then this further on ...

Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience


Seems to suggest to me that Microsoft sees potential WebGL security problems similarly to the security problems we have had with 3rd party plugins for browsers such as Flash and Java Runtime Plugin ... well that is the way I read it.

Edited 2011-06-21 22:20 UTC

Reply Parent Score: 2

Tom9729 Member since:
2008-12-09

There's not really such thing as "insecure operations". There are bugs, which can lead to exploits. If a program could be written that detected bugs a great many problems in the computing world would be solved. :-)

It would definitely be possible to check indices, etc. I believe one of the Chrome developers discussed this in a blog post on HN.

Reply Parent Score: 2