- From: Kenneth Russell <kbr@google.com>
- Date: Tue, 17 May 2011 14:25:04 -0700
Last week, a proof of concept of a previously theoretical timing attack against WebGL was published which allows theft of cross-domain images' content. To address this vulnerability it appears to be necessary to ban the use of cross-domain images and videos in WebGL. Unfortunately, doing so will prevent entire classes of applications from being written, and break a not insignificant percentage of current applications. We would like to use CORS to solve this problem; if the server grants access to the image or video, WebGL can use it. Initial discussions with image hosting services have been positive, and it seems that CORS support could be enabled fairly quickly. Many such services already support other access control mechanisms such as Flash's crossdomain.xml. Unfortunately, experimentation indicates that it is not possible to simply send CORS' Origin header with every HTTP GET request for images; some servers do not behave properly when this is done. We would like to propose adding a new Boolean property, useCORS, to HTMLImageElement and HTMLMediaElement, defaulting to false. If set to true, then HTTP requests sent for these elements will set the Origin header from the page's URL. If the Access-Control-Allow-Origin header in the response grants access, then the content's origin will be treated as the same as the page's. Perhaps an API could also be added to find out whether the server granted CORS access to the resulting media, though this is less important. (Note that the canvas element does not have an explicit API for querying the origin-clean flag.) Thoughts on this proposal? We would like to decide on a path quickly so that we can update both specs and implementations. Thanks, -Ken
Received on Tuesday, 17 May 2011 14:25:04 UTC