Microsoft Rejects WebGL for Security Reasons
Microsoft cites two reports analyzing security flaws in WebGL as the main reason for not endorsing a 3D graphic standard actively supported by Google, Mozilla, Opera, and Apple.
The HTML5 Canvas element allows developers to program graphics using different rendering engines, one of them being WebGL, a specification for hardware-accelerated 3D rendering on top of OpenGL drivers managed by Khronos Groups and currently implemented by Google Chrome, Mozilla Firefox, Opera, and the nightly Safari builds. WebGL 1.0 was announced in February 2011, but Chrome has been supporting it for more than a year.
The only major browser maker that is not using WebGL is Microsoft. Although one can use Google’s ANGLE, which translates WebGL API calls to their DirectX equivalents, that is not a native solution, and it would be more appropriate if WebGL would be natively supported by Windows, but it is not and Microsoft says they will not endorse WebGL as it is now due to security vulnerabilities.
Microsoft’s claims on WebGL’s security flaws are based on two reports made by Context Information Security: WebGL – A New Dimension for Browser Exploitation and WebGL – More WebGL Security Flaws. The reports explain some of the security issues found in WebGL, such as vulnerability to DoS attacks, Cross-Domain Image Theft and a bug in Firefox’s implementation that allows an attacker to steal user’s data
Khronos has reacted to Context’s first report, informing that they suggest using the GL_ARB_robustness extension which “has already been deployed by some GPU vendors and Khronos expects it to be deployed rapidly by others,” as a solution to DoS attacks. Regarding Cross-Domain Image Theft, they said:
The ability to incorporate cross-domain images into WebGL scenes provides great utility to developers, but the WebGL working group is considering requiring Cross Origin Resource Sharing (CORS) opt-in or other mechanisms to prevent possible future abuse of this capability.
Context does not consider Khronos’ GL_ARB_robustness solution as appropriate because it involves resetting the GPU when a DoS attack is discovered. Context agrees with Khronos’ solution for image theft, recommending “the use of a mechanism to manage cross-domain images for example the requirement of CORS within WebGL.”. They also mentioned working with Mozilla to fix discovered vulnerabilities in Firefox, which was very receptive and they also contacted Google. As a final conclusion, Context recommends users to disable WebGL and hardware manufacturers to stop supporting it.
Following Context’s reports, Microsoft enlisted their main concerns with WebGL, deciding not to support WebGL “in its current form”, expression which leaves the door open for the future in case they change their mind:
- “Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive“
- “Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience”
- “Problematic system DoS scenarios"
It is relevant to mention that Microsoft invested heavily in DirectX, the first version appearing in 1995, so it is quite likely they will continue to support it.
In the meantime, Apple recently announced that iOS 5 will get 3D rendering via WebGL, but it will be limited to iAd developers, according to Chris Marrin. It is expected they will extend WebGL support, making it a public API in iOS, given their historical approach to introduce new technologies in steps.
When everyone else starts making WebGL sites they will be forced to accept it, the same way they had to with HTML 5.
Caitie McCaffrey Apr 24, 2015