Re: [css-shaders] security - timing attacks

On 20/10/2011, at 2:31 PM, Tab Atkins Jr. wrote:

> This scenario really depends on a pixel shader having
> access to the pixels of cross-domain iframes, though.  If we just
> blanked the element's rectangle before giving it to the shader, that
> attack would be defeated.  The remaining leakage is probably small
> enough to not worry about, you're right.

I think that's the key here. A CSS shader (or even any CSS filter really) should not get any cross-domain iframe content as input.

Dean

Received on Thursday, 20 October 2011 23:07:16 UTC