[webkit-dev] Security problems with CSS shaders (was Re: Starting implementation on W3C Filter Effects)

Dean Jackson dino at apple.com
Mon Oct 24 21:38:52 PDT 2011

On 24/10/2011, at 9:08 PM, Adam Barth wrote:

> How have you solved the security problems with CSS Shaders?
> Specifically, timing attacks can be used to extract image information
> passed to shaders and many things WebKit renders are sensitive and
> should not be exposed to the web site (e.g., the color of visited
> links).

This is a good question and I know that I don't have the answers (and can't even claim to understand all the implications).

I think the most important restriction is that shaders should not apply cross-origin. e.g. iframes and probably anything with <img> children from another domain (unless it is marked as ok via CORS).

The possibility of leaking information such as visited links, or maybe reconstructing text which could be fed to OCR, is more difficult. Is this really specific to CSS Shaders? SVG filters would theoretically be able to do the same thing. In fact, given enough knowledge of WebKit rendering one could imagine tweaking the style of an element in a way that causes a measurable rendering slowdown.

I'd like to know what the actual threat of such timing attacks are. I've seen claims of a maximum theoretical leak rate (in bits/s) but then counter claims that since, in this case, it would be hard to distinguish the difference in slowdown between CSS shaders and general page rendering, that the real rate is much lower. And, at least in the case of Safari, you can't always be sure that getting a rAF callback means you're about to draw.

Does anyone have hard data on this?


More information about the webkit-dev mailing list