14 DAY TRIAL // Mozilla has decided to disable the ability to use cross-domain textures in WebGL in the next iteration of Firefox because of concerns expressed by security researchers.
Back in May, researchers from Context Information Security disclosed several security issues they've uncovered in the WebGL technology.
One of the problems facilitated the cross-domain theft of images, for which the experts even provided a proof of concept.
"Based on this limited research Context does not believe WebGL is really ready for mass usage, therefore Context recommends that users and corporate IT managers consider disabling WebGL in their web browsers," the security firm said at the time.
While the Khronos Group has been working on solving some of the issues in future versions of the specification, nothing definitive has been released until now.
"The WebGL spec has been updated to disallow using cross-domain images as WebGL textures, and Mozilla’s implementation in Firefox 5 has been updated accordingly," Mozilla explains.
This means cross-domain images can't be used as textures in WebGL with Firefox 5. Webmasters that rely on this functionality need to move the resources on the same domain.
Meanwhile, work continues on implementing Cross-Origin Resource Sharing (CORS) for WebGL, which will allow servers to specify rules for images that can be accessed by scripts from external domains.
"CORS support for WebGL is a high priority for us and will be implemented very soon," Mozilla says. A non-normative section has already been added to the specification in this respect.
While the browser maker initially intended to wait for CORS availability in WebGL before disabling cross-domain textures, it has since decided that fixing the security issue immediately is better for users.
This decision also stems from the fact that even after CORS is implemented, it will take time until online content providers start adopting it so it can make any significant impact.