W3C home > Mailing lists > Public > www-style@w3.org > October 2011

Re: [css-shaders] security - timing attacks

From: Dean Jackson <dino@apple.com>
Date: Thu, 20 Oct 2011 16:06:47 -0700
Cc: Chris Marrin <cmarrin@apple.com>, "Gregg Tavares (wrk)" <gman@google.com>, www-style list <www-style@w3.org>
Message-id: <7F7AF3AD-6701-4EBD-88C6-D1F2D709070A@apple.com>
To: "Tab Atkins Jr." <jackalmage@gmail.com>

On 20/10/2011, at 2:31 PM, Tab Atkins Jr. wrote:

> This scenario really depends on a pixel shader having
> access to the pixels of cross-domain iframes, though.  If we just
> blanked the element's rectangle before giving it to the shader, that
> attack would be defeated.  The remaining leakage is probably small
> enough to not worry about, you're right.

I think that's the key here. A CSS shader (or even any CSS filter really) should not get any cross-domain iframe content as input.

Dean
Received on Thursday, 20 October 2011 23:07:16 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:45 GMT