W3C home > Mailing lists > Public > public-fx@w3.org > April to June 2012

Re: Update on CSS shaders security issue

From: Vincent Hardy <vhardy@adobe.com>
Date: Fri, 20 Apr 2012 07:16:59 -0700
To: Benoit Jacob <jacob.benoit.1@gmail.com>, David Sheets <kosmo.zb@gmail.com>, "rocallahan@gmail.com" <rocallahan@gmail.com>
CC: "public-fx@w3.org" <public-fx@w3.org>
Message-ID: <CBB6BDA3.3F370%vhardy@adobe.com>
Hi Benoit, Robert,

Thanks for your review and positive feedback.

I'll work with the other editors to update the spec. to reflect the proposal in the draft.


From: Benoit Jacob <jacob.benoit.1@gmail.com<mailto:jacob.benoit.1@gmail.com>>
Date: Fri, 20 Apr 2012 05:41:11 -0700
To: David Sheets <kosmo.zb@gmail.com<mailto:kosmo.zb@gmail.com>>
Cc: Adobe Systems <vhardy@adobe.com<mailto:vhardy@adobe.com>>, "public-fx@w3.org<mailto:public-fx@w3.org>" <public-fx@w3.org<mailto:public-fx@w3.org>>
Subject: Re: Update on CSS shaders security issue

Thanks Vincent for the very nicely written wiki page. I can't see any
security flaw in the solution you've arrived at.

2012/4/20 David Sheets <kosmo.zb@gmail.com<mailto:kosmo.zb@gmail.com>>:
On Wed, Apr 18, 2012 at 10:54 PM, Vincent Hardy <vhardy@adobe.com<mailto:vhardy@adobe.com>> wrote:

Since the original proposal on CSS shaders, there have been discussions on
this list and some related discussion on the WebGL mailing list at Khronos.

What is the URL of the discussion on the WebGL mailing list at Khronos?

This was on the private '3dweb' mailing list.


In short, we discussed whether restrictions on the shading language
could be sufficient to make the use of cross-origin images safe in
WebGL and in CSS Shaders, and we agreed that that was unfortunately
not the case because even basic arithmetic operations (like
multiplication) can take much longer depending on input values (for
example on Intel CPUs operations on NaN values can be hundreds of
times slower than on finite values).

But all the important conclusions for CSS Shaders are in Vincent's
public wiki page.

Following the most recent findings in efforts to make CSS shaders secure, I
have updated the page that summarizes the proposed security measure that
looks the most reasonable. The other measures that were considered are also
documented and a summary of why there did not fully meet the needs is also

The short description of the proposal is that it removes access to the
rendered content from the shaders. This is not an issue for vertex shaders
(at least for a wide set of use cases). For fragment shaders, the result
produced by the shader will be combined with the rendered content, but this
combination step is not controlled by the shader, it is controlled by the

For example, a vertex shader that produces a flapping flag effect will not
be affected by the restriction because it does not need access to the
texture. A fragment shader that computes a lighting effect will compute a
light map that the implementation will then multiply with the original
texture. Here again, the shader does not access the rendered texture.

I believe that this is a good approach and while it reduces some of the
functionally, it also addresses the new security concerns CSS shaders

Please see the detailed description of the approach and examples of how a
technology like ANGLE could be used for an efficient implementation:


Kind regards,
Vincent Hardy
Received on Friday, 20 April 2012 14:17:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 22 June 2015 03:33:47 UTC