- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Fri, 9 Dec 2011 15:57:03 -0800
- To: Vincent Hardy <vhardy@adobe.com>
- Cc: Charles Pritchard <chuck@jumis.com>, "public-fx@w3.org" <public-fx@w3.org>
On Fri, Dec 9, 2011 at 3:44 PM, Vincent Hardy <vhardy@adobe.com> wrote: > For the record, here are the points we presented the FX group during the > last face to face: > > - Timing attackes rely on inferring rendered content from the time it takes > to render it > - Timing attacks were demonstrated attack in WebGL > - There are differences between CSS shaders and WebGL (different timing > mechanisms) > - Possible solution: > - CORS > - Mandate that UAs do not give out information on rendered content from > timing (obfuscate the requestAnimationFrame method) > ======== > > We decided to explore CORS at this time, This doesn't make sense. cross-origin content is *one* information leak from shaders. There are many more that Adam Barth has pointed out, such as :visited status, the user's spellchecking dictionary, the user's filesystem structure through the display of <input type=file> in some browsers, etc. These latter have nothing to do with CORS. ~TJ
Received on Friday, 9 December 2011 23:57:51 UTC