Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #6370
Closed
Open
Issue created Jul 10, 2012 by Mike Perry@mikeperry

Enable WebGL (as click-to-play only)

In #3323 (closed), we reviewed WebGL for API-based fingerprinting issues. The conclusion is that if we set webgl.min_capability_mode and webgl.disable-extensions, our primary API-level fingerprinting concerns are addressed.

Additionally, #6253 (closed) lists another related fingerprinting defense to rendering vectors (#6041 (closed)), but so long as WebGL remains click-to-play, I think #6253 (closed) is not a blocker to enabling WebGL in a click-to-play limited sense.

However, I am still terrified by the vulnerability surface represented by WebGL on the graphics driver end. Because much of that code lives in kernel or at least at UID 0 priv level, it will prove very difficult to actually properly sandbox.. Worse, many drivers are very likely not network-hardened or designed to handle untrusted input. See also: http://www.contextis.com/resources/blog/webgl/

Hence, I think WebGL will probably have to remain a second-class click-to-play tech for the foreseeable future, even if "enabled".

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking