Chrome 13 tightens up WebGL security
Google has moved to make Chrome 13 more secure by preventing the browser's WebGL implementation from loading textures from other domains. A similar move was made by the Mozilla developers with the recently released Firefox 5. Cross domain textures have been found to allow attackers to use specialised shaders and read information from another web site. The technique is quite expensive to make use of, but an example application already exists to demonstrate the process.
To provide greater security against hackers while allowing the use of other textures from other domains, the developers of Chrome 13 have also implemented W3C CORS (Cross Origin Resource Sharing) support in accordance with the latest WebGL specification. CORS works with the combination of the DOM element
crossOrigin and a CORS-enabled server and allows the application to download images from another server if allowed by the server's policy.
Chrome 13 is currently available in Google's beta channel for the Chrome browser. Google says it is supporting the Enable-cors.org project which seeks to promote the CORS-enabling of sites with public content.