Comments for JP Rosevear http://blog.jprosevear.org jpr blog Sat, 18 Jun 2011 11:18:17 +0000 hourly 1 http://wordpress.com/ Comment on WebGL & Security by WebGL considered harmful | Scali's blog http://blog.jprosevear.org/2011/05/13/webgl-security/#comment-235 Sat, 18 Jun 2011 11:18:17 +0000 http://blog.jprosevear.org/?p=250#comment-235 [...] but they are not the only ones who say it. Other analysts also say the same thing, Khronos and Mozilla are aware of security issues as well (and working on them), and even OpenGL-advocate of the first [...]

]]> Comment on Open Meetings With Vidyo by mrz http://blog.jprosevear.org/2011/06/10/open-meetings-with-vidyo/#comment-232 Fri, 10 Jun 2011 21:59:42 +0000 http://blog.jprosevear.org/?p=270#comment-232 Linux support comes with the 2.1 release which is supposed to be out within a week.

]]> Comment on WebGL & Security by Benoit Jacob http://blog.jprosevear.org/2011/05/13/webgl-security/#comment-197 Sun, 15 May 2011 00:10:11 +0000 http://blog.jprosevear.org/?p=250#comment-197 To put Context’s affirmation into some perspective, here is the list of top 300 crashers in Firefox 4:
https://crash-stats.mozilla.com/topcrasher/byversion/Firefox/4.0.1

As you can see, WebGL doesn’t even show up on this list. I’m not sure how much further down the crashers list one would have to look to start seeing a lot of WebGL crashes.

Of course the DOS problem with WebGL is not only about process crashes, but you get the picture: disabling WebGL is not, in general, going to significantly improve user experience. YMMV.

]]> Comment on WebGL & Security by Benoit Jacob http://blog.jprosevear.org/2011/05/13/webgl-security/#comment-196 Sun, 15 May 2011 00:04:44 +0000 http://blog.jprosevear.org/?p=250#comment-196 The difference between a whitelist and a blacklist is a little abstract given that we have rather complex logic here. It’s very OS-specific, but for example on Windows we have a whitelist of vendors (with only ATI/AMD, NVIDIA and Intel on it at the moment) and then we have a blacklist of combinations of driver versions, devices and requested features. Details are given on this wiki page:
https://wiki.mozilla.org/Blocklisting/Blocked_Graphics_Drivers

]]> Comment on WebGL & Security by fsync http://blog.jprosevear.org/2011/05/13/webgl-security/#comment-193 Sat, 14 May 2011 12:26:02 +0000 http://blog.jprosevear.org/?p=250#comment-193 How does it work to have both a blacklist and a whitelist? I’m guessing this refers to what is known about drivers (known good, known bad, or not sure) rather than a policy implemented in code to decide whether to allow features to execute with certain drivers.

]]> Comment on WebGL & Security by foo http://blog.jprosevear.org/2011/05/13/webgl-security/#comment-190 Sat, 14 May 2011 07:19:26 +0000 http://blog.jprosevear.org/?p=250#comment-190 I for one will be disabling WebGL just like I’ve disabled web fonts.

]]> Comment on WebGL & Security by Benoit Jacob http://blog.jprosevear.org/2011/05/13/webgl-security/#comment-189 Sat, 14 May 2011 03:42:41 +0000 http://blog.jprosevear.org/?p=250#comment-189 Yuri: on Mac, Apple controls the whole graphics stack including the drivers. It’s up to them to implement ARB_robustness; I believe that is not yet implemented. Regarding the freezes on Mac in certain heavy WebGL demos, I’m aware of the problem but I don’t have much advice at the moment, sorry. If the issue gets really bad, we might end up making ARB_robustness a requirement for WebGL.

]]> Comment on WebGL & Security by Yuri Leven http://blog.jprosevear.org/2011/05/13/webgl-security/#comment-188 Fri, 13 May 2011 23:22:10 +0000 http://blog.jprosevear.org/?p=250#comment-188 Thanks Benoit.

My Mac is about two years old. I ran the link from Engadget and Chrome froze. I didnt want to do the test in Firefox. I posted a message to Apple support and have not gotten a response.

So I think I have the graphics problem. What do you recommend? I am going to the genius bar tomorrow to ask their advice.

]]> Comment on WebGL & Security by Benoit Jacob http://blog.jprosevear.org/2011/05/13/webgl-security/#comment-177 Fri, 13 May 2011 18:41:08 +0000 http://blog.jprosevear.org/?p=250#comment-177 Np237: We do use GLX on Linux. However the WebGL implementation only uses it during initialization to create a OpenGL context. GLX isn’t exposed to input from content, besides the WebGL context creation options (which is… less than 1 byte of data!). So I don’t see a risk here. In the long term, it’s very possible that EGL replaces GLX.

]]> Comment on WebGL & Security by Benoit Jacob http://blog.jprosevear.org/2011/05/13/webgl-security/#comment-175 Fri, 13 May 2011 17:58:13 +0000 http://blog.jprosevear.org/?p=250#comment-175 Yuri: As far as I know, ARB_robustness is more a driver feature than a hardware GPU feature. I’m not sure about the percentage, but recent versions of NVIDIA and ATI OpenGL drivers have it, I think. Not sure about Intel. You can check that using any OpenGL info utility, see if the “GL extensions string” contains ARB_robustness.

You don’t have to do anything to be decently safe. It’s our job to ensure that Firefox with the default settings is a safe browser. We’re working on any real issues (especially the cross-domain image issue) as hard as we can, but they’re not looking severe enough at this point in the real world to require an immediate update.

]]>