WebGL Security: The Backlash

2011-06-24 00:00:00 +0100 by Alex R. Young

Web developers, like all developers, need good 3D support, and — as with Flash and Silverlight — browser implementers will need to be careful and thoughtful about how to expose that functionality securely on all operating systems.

- Mike Shaver

Last week, Microsoft voiced concerns over WebGL
on the
Microsoft Security Research & Defense blog. Since then prominent Mozilla and
Microsoft employees have joined the discussion. The press tried to make
this sound like an exciting backlash from Mozilla, but from what I've
read the response was well-tempered.

Avi Bar-Zeev had this to say, in Why Microsoft and Internet Explorer
need WebGL (and

Operating systems and security mitigation are what Microsoft is known for. It's our bread and butter. Why would we run away from that challenge with such an alarmist attitude of “shut it off, shut it off, it might hurt me!”


WebGL will be running on my PC and yours, one way or another. Microsoft will need to deal with it.

Elsewhere, Mozilla VP of Engineering Mike Shaver wrote A
in which he states:

Microsoft's concern that a technology be able to pass their security review process is reasonable, and similar matters were the subject of a large proportion of the discussions leading to WebGL's standardization; I also suspect that whatever hardening they applied to the low-level D3D API wrapped by Silverlight 3D can be applied to a Microsoft WebGL implementation as well.

However, the Mozilla Security Blog
does contain this interesting bug report: WebGL graphics memory

This issue allows attackers to capture screen shots of private or confidential information.

Although deliciously ironic, this is based on further research by James
. He wrote the
post that was the epicentre for the WebGL security debate: WebGL - A
New Dimension for Browser