WEBGL_security_sensitive_resources
WebGL working group (public_webgl 'at' khronos.org)
Max Vujovic (mvujovic 'at' adobe.com)
Members of the WebGL working group
Last modified date: May 14, 2019
Revision: 3
WebGL extension #23
Written against the WebGL API 1.0 specification.
Written against the EXT_frag_depth specification.
Written against the WEBGL_draw_buffers specification.
Written against the WEBGL_shared_resources specification.
In the WebGL API 1.0 specification, section 4.2 Origin Restrictions restricts the following sources for texture upload:
Document that contains the WebGLRenderingContext's canvas element.This extension allows these sources for texture uploads, with some restrictions regarding their uploading and use.
Motivation:
This extension enables the processing of cross-origin resources in WebGL. Additionally, it defines a foundation of concepts that can be used in future extensions to process other types of security sensitive content, including arbitrary HTML content.
For an example of security sensitive content, consider the rendering of an HTML link. The color of the link can indicate its visited or unvisited state. Third parties must not be able to access or infer this information.
Specifically, third parties must not be able read the pixel data of security sensitive content through WebGL or other APIs. Additionally, third parties must not be able to divulge or approximate the pixel data of security sensitive content by timing WebGL operations.
Prior to this extension, WebGL restricted the upload of security sensitive content as a texture for graphical processing. This extension enables the uploading and processing of security sensitive content, with some restrictions. Note that this extension imposes no restrictions on the processing of regular, non-security sensitive content.
To secure a user's privacy, a WebGL implementation must not leak information about the contents of security sensitive textures through the execution time of its commands. To achieve this, no part of the underlying graphics pipeline may vary in execution time based on the contents of a security sensitive texture. For example, primitive assembly and depth testing must not vary based on the contents of a security sensitive texture.
The vertex shading and fragment shading stages of the graphics pipeline require particular restrictions to keep their execution time independent of the contents of security sensitive textures. Specifically, the contents of a security sensitive texture must only appear in constant-time GLSL operations. A constant-time GLSL operation is an operation whose execution time does not vary based on the values of its operands. This extension will describe how a WebGL implementation can enforce this requirement.
Additionally, this extension attempts to identify non-constant-time GLSL operations. All other GLSL operations are assumed to be constant time in both the WebGL implementation and the underlying GPU implementation. If this assumption is false on a particular implementation, then this extension must be disabled for that implementation. In the future, GPU vendors may be able to provide a mechanism to guarantee that the assumed GLSL operations are in fact constant-time.
This extension relies on the definition of several constructs in GLSL. These constructs are determined statically, after preprocessing.
S is a regular sampler if an expression dependent on S appears in one or more of the following constructs:
if statement condition?) condition&&)||)coord, bias, or lod argument in a texture lookup function callgl_Positiongl_FragDepthOtherwise, S is a secure sampler.
An expression is dependent on the sampler S if:
S as the sampler argument.S.S.A variable is dependent on the sampler S if:
S. (e.g. If a = b and b is dependent on sampler S, then a is dependent on sampler S.)a[b] = c and b is dependent on the sampler S, then a is dependent on sampler S.)S.When this extension is enabled:
WebGLRenderingContext's canvas's origin-clean flag is set to false if the context is created with a WebGLContextAttributes dictionary with securitySensitiveDrawingBuffer set to true.
[Exposed=(Window,Worker), LegacyNoInterfaceObject]
interface WEBGL_security_sensitive_resources {
WebGLFramebuffer? createSecuritySensitiveFramebuffer();
WebGLTexture? createSecuritySensitiveTexture();
};
dictionary WebGLContextAttributes {
GLboolean securitySensitiveDrawingBuffer = false;
};
createFramebuffer, except framebuffers created with this function are referred to as security sensitive framebuffers. Framebuffers created with createFramebuffer are referred to as regular framebuffers.createTexture, except textures created with this function are known as security sensitive textures. Textures created with createTexture are known as regular textures.In summary, an author cannot:
readPixels,The error INVALID_OPERATION is generated in the following situations:
drawArrays or drawElements is called and a security sensitive texture is bound to a regular sampler.drawArrays or drawElements is called and:
gl_FragColor or gl_FragData[i] is dependent on the secure sampler,the output variable writes to either:
securitySensitiveDrawingBuffer set to false in the WebGLContextAttributes dictionary used to create the context.copyTexImage2D or copyTexSubImage2D is called and:
securitySensitiveDrawingBuffer was set to true in the WebGLContextAttributes dictionary used to create the context.copyTexImage2D or copyTexSubImage2D is called and:
readPixels is called and:
securitySensitiveDrawingBuffer was set to true in the WebGLContextAttributes dictionary used to create the context.readPixels is called and a security sensitive renderbuffer is selected as the source.framebufferRenderbuffer is called and:
attachment is DEPTH_ATTACHMENT, STENCIL_ATTACHMENT, or DEPTH_STENCIL_ATTACHMENT,renderbuffer is a security sensitive renderbuffer.acquireSharedResource is called and:
resource is a security sensitive texture or a security sensitive renderbuffer,createSecuritySensitive* to the API consumer?Revision 1, 2013/09/13
Revision 2, 2014/07/15
Revision 3, 2019/05/14