[webkit-dev] Timing attacks on CSS Shaders (was Re:Security problems with CSS shaders)

Adam Barth abarth at webkit.org
Wed Dec 7 19:29:24 PST 2011

On Wed, Dec 7, 2011 at 7:23 PM, Vincent Hardy <vhardy at adobe.com> wrote:
> @chris
>>> So I take back my statement that CSS Shaders are less dangerous than
>>> WebGL. They are more!!!
> It seems to me that the differences are:
> a. It is easier to do the timing portion of a timing attack in WebGL because
> it all happens in a script and the timing is precise. With CSS shaders, the
> timing is pretty coarse.
> b. The content that a CSS shader has access to may be more sensitive than
> the content a WebGL shader has access to because currently, WebGL cannot
> render HTML (but isn't it possible to render an SVG with a foreignObject
> containing HTML into a 2D canvas, and then use that as a texture? In that
> case, wouldn't the risk be the same? Or is the canvas tainted in that case
> and cannot be used as a texture?).

Bear in mind that these security problems have been addressed in
WebGL.  WebGL no long suffers from these vulnerabilities.

> @charles
>>> Can this proposal be moved forward on CORS +
>>> HTMLMediaElement, HTMLImageElement and HTMLCanvasElement?
> At the last FX meeting, I got an action to sync. up with the CORS group and
> discuss how CORS would apply to CSS shaders.

It's very unclear to me how CORS can help in this situation.  Can you
explain what you have in mind?


More information about the webkit-dev mailing list