W3C home > Mailing lists > Public > public-fx@w3.org > April to June 2012

Re: Update on CSS shaders security issue

From: David Sheets <kosmo.zb@gmail.com>
Date: Thu, 19 Apr 2012 21:16:37 -0700
Message-ID: <CAAWM5Tz+GN6BTuXPEiW6fyyaXfVvsggz8HtON0tEbbfNPPW0nA@mail.gmail.com>
To: Vincent Hardy <vhardy@adobe.com>
Cc: "public-fx@w3.org" <public-fx@w3.org>
On Wed, Apr 18, 2012 at 10:54 PM, Vincent Hardy <vhardy@adobe.com> wrote:
> Hello,
>
> Since the original proposal on CSS shaders, there have been discussions on
> this list and some related discussion on the WebGL mailing list at Khronos.

What is the URL of the discussion on the WebGL mailing list at Khronos?

> Following the most recent findings in efforts to make CSS shaders secure, I
> have updated the page that summarizes the proposed security measure that
> looks the most reasonable. The other measures that were considered are also
> documented and a summary of why there did not fully meet the needs is also
> provided.
>
> The short description of the proposal is that it removes access to the
> rendered content from the shaders. This is not an issue for vertex shaders
> (at least for a wide set of use cases). For fragment shaders, the result
> produced by the shader will be combined with the rendered content, but this
> combination step is not controlled by the shader, it is controlled by the
> implementation.
>
> For example, a vertex shader that produces a flapping flag effect will not
> be affected by the restriction because it does not need access to the
> texture. A fragment shader that computes a lighting effect will compute a
> light map that the implementation will then multiply with the original
> texture. Here again, the shader does not access the rendered texture.
>
> I believe that this is a good approach and while it reduces some of the
> functionally, it also addresses the new security concerns CSS shaders
> raised.
>
> Please see the detailed description of the approach and examples of how a
> technology like ANGLE could be used for an efficient implementation:
>
> http://www.w3.org/Graphics/fx/wiki/CSS_Shaders_Security
>
> Kind regards,
> Vincent Hardy
Received on Friday, 20 April 2012 11:03:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 20 April 2012 11:03:48 GMT