14 DAY TRIAL // A few weeks back, there was a lot of fuss over cross-domain images used in WebGL. Until then, the WebGL implementations in all browsers, Firefox and Chrome, enabled WebGL apps to load external images to be displayed.
The images could only be displayed and not decoded by WebGL apps, but this restriction could be easily overcome by doing a bit of processing, using shaders, on the image data stored in the GPU's memory.
This way, the original image could be extracted and copied, something that was not intended.
This vulnerability led the Khronos Group, which oversees the WebGL standard, to update the specs to restrict outside images and videos.
Mozilla moved to patch the vulnerability by blocking all images from external domains. Google has now done the same in Chrome 13, which no longer allows WebGL applications to access external resources.
"Chrome 13 (and Firefox 5) will no longer allow cross-domain media as a WebGL texture. The default behavior will be a DOM_SECURITY_ERR," Google's Eric Bidelman wrote.
"However, applications may still utilize images and videos from another domain with the cooperation of the server hosting the media, otherwise known as CORS," he added.
Perhaps part of the reason why Google waited so long to make the change is because it wanted to build CORS (Cross-Origin Resource Sharing) support into the browser, to offer developers an alternative for safely loading external images.
Mozilla initially wanted to do the same, but opted to remove support for external resources in Firefox 5 and is now working on enabling CORS support.
Google provides some technical details on how to enable CORS support in your WebGL applications. It's all a bit complicated, but developers won't have a problem implementing a solution.
Granted, CORS, which enables servers to specify when images and other resources can be accessed by external domain scripts and in what ways, is more restrictive and won't be able to provide a complete alternative to all existing apps.
What's more, CORS also requires support from providers. Picasa already supports this and Google is working with other services, like Flickr, to enable the technology.