Last week Microsoft made waves with claims that WebGL was an insecure and dangerous standard that could bring us a whole new level of web-based malware, exposing millions of systems to new threats. I personally found their claims overblown, but Jon Peddie (as usual) has a great balanced writeup on the real story behind Microsoft’s claims based primarily on a report from Context Security which found two possible problems. One problem is just a classic Denial of Service, that exposing the video card to the browser makes it easy for someone to simply hang the card. The more interesting attack, IMO, is this cross-domain glitch:
Context demonstrated that a shader program could implement a loop that could be used to approximately reconstruct an image from another domain—a serious potential security hole. Khronos had previously debated on its open mailing list whether this was a real-world possibility and once the exploit was demonstrated by Context, Khronos worked swiftly with the WHATWG (Web Hypertext Application Technology Working Group) to mandate the CORS spec (Cross Origin Resource Sharing) in both the HTML and WebGL specs to make sure servers have to explicitly allow access to media assets across domains.
So yes, as with any new technology there are a few glitches in the early version that will get ironed out with time and more-eyes.
