Mozilla disables Firefox 5 WebGL's cross domain textures - update 2
Mozilla is disabling cross domain textures in Firefox 5's WebGL implementation after a researcher demonstrated an ability to abuse the capability. A report released in May by Context Information Security on WebGL security included a proof of concept which used cross domain textures as to reconstruct a displayed image without directly accessing the image. The Khronos Group, home to the WebGL standard, responded to the issue saying that it was considering requiring opt-in to Cross Origin Resource Sharing (CORS) or some other mechanism to prevent possible abuse.
But in advance of any decision being
taken ratified by the Khronos Group, Mozilla has decided to completely turn off cross domain texture support in the forthcoming Firefox 5. A documentation note explains what has been changed and suggests that if code was relying on cross domain textures, the textures should be moved to the same domain. A Mozilla spokesperson confirmed the change to The H saying "In response to security concerns, we have disabled the cross-domain use of textures in WebGL. We are working with other vendors on a CORS-based solution that will re-enable the use of cross domain textures, which we will implement in a future Firefox release".
Update - The Khronos Group have incorporated origin restrictions for textures in the latest editors draft of the WebGL specifications. This draft is, as it states itself, a work in progress.
Update 2 - Mozilla have now posted a detailed explanation of the issue and why they chose to disable the cross domain textures. On future support for CORS, Mozilla say "CORS support for WebGL is a high priority for us and will be implemented very soon".