In Firefox 5, it is no longer possible to use cross-domain elements as the source for WebGL textures. We made this change in response to security concerns around the possibility of cross domain information leakage. Unfortunately, that means that some WebGL-using pages are no longer working. We are working with the WebGL WG on a solution to allow such pages to resume working as soon as possible — read on for details.
The security rules about cross-domain images
A cross-domain image is an image coming from a different domain than the canvas. A basic rule of Web security is that scripts must not be able to read pixel data from cross-domain images — they can only “blindly” display them. In more concrete terms, imagine that you currently have a session open on your bank’s website, allowing you to download scanned copies of cheques you’ve written. You don’t want scripts loaded in other tabs, from other websites, to be able to read your scanned cheques! Similarly, when you draw a cross-domain image onto a 2D canvas, using drawImage(), the canvas becomes “tainted” so that it’s no longer possible for scripts to read its pixels. This prevents a loophole whereby a canvas would be used as a proxy to read cross-domain images.
The problem with cross-domain images as WebGL textures
When a cross-domain image was used as a WebGL texture, the WebGL canvas was “tainted” so that reading from it was no longer possible. Theoretically, that eliminated the concern. But a while ago, a researcher wrote to the public WebGL list with a possible attack that could still allow reading pixels from WebGL textures. The idea was to paint the texture one pixel at a time with a WebGL fragment shader crafted to take an amount of time proportional to its brightness, and then time how long it takes: that would conceivably allow to get an approximation of the original image. Initially this attack seemed difficult to execute practically, but since then further research, including a proof-of-concept has been published which shows the attack to be more realistic than initially expected.
The response
The WebGL spec has been updated to disallow using cross-domain images as WebGL textures, and Mozilla’s implementation in Firefox 5 has been updated accordingly. A non-normative section has also been added allowing cross-domain images that have CORS approval. Using CORS in this case is a way for servers to explicitly say when an image is OK to be read by cross-domain scripts. CORS support for WebGL is a high priority for us and will be implemented very soon.
A wiki page explains some more details. Affected scripts will generate a DOM_SECURITY_ERR exception and, just before that, a JS warning explaining what happened and linking to that wiki page.
9 comments