[webkit-dev] Security problems with CSS shaders (was Re: Starting implementation on W3C Filter Effects)

Adam Barth abarth at webkit.org
Mon Oct 24 21:08:02 PDT 2011

On Mon, Oct 24, 2011 at 9:02 PM, Dean Jackson <dino at apple.com> wrote:
> On 22/09/2011, at 11:30 AM, Dean Jackson wrote:
>> Dirk (known in these parts as krit) reminded me that I had not emailed webkit-dev about the plans to start an implementation of W3C's new Filter Effects specification.
>> https://dvcs.w3.org/hg/FXTF/raw-file/tip/filters/publish/Filters.html
>> The quick summary is that this exposes the 'filter' property from SVG to everything in CSS, and adds some shorthands for common effects so people don't have to write XML in order to do something like a blur or sepia effect. The spec has received a fair amount of input from the CSS and SVG working groups, and particularly from Apple, Google, Mozilla, Opera and Adobe.
> A followup: we're going to start work on the CSS Shaders proposal [1] soon. Adobe have published their implementation which was specific to Chromium, and we'll be working with them to split it into small patches that can land in the coming weeks. A good introduction to the technology is [2].
> This will be done behind the ENABLE_CSS_FILTERS macro, but also with the guards for ENABLE_WEBGL since the implementation (and security) requirements are so similar.

How have you solved the security problems with CSS Shaders?
Specifically, timing attacks can be used to extract image information
passed to shaders and many things WebKit renders are sensitive and
should not be exposed to the web site (e.g., the color of visited


> [1] https://dvcs.w3.org/hg/FXTF/raw-file/tip/custom/index.html
> [2] www.adobe.com/devnet/html5/articles/css-shaders.html

More information about the webkit-dev mailing list