Missing site permissions control for webgl
Categories
(Core :: Graphics: CanvasWebGL, enhancement, P5)
Tracking
()
People
(Reporter: bugdal, Unassigned)
Details
(Whiteboard: gfx-noted)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Steps to reproduce:
Disabled webgl because access to gpu/driver is an unacceptable risk/attack surface to offer to random websites.
Actual results:
The few sites that make reasonable use of webgl that I want to use don't work unless I manually switch it on/off every time and risk visiting malicious sites while it's on.
Expected results:
Sites attempting to use webgl should display a permissions prompt requesting access to use it.
|
||
Comment 1•7 years ago
|
||
Can you please provide some websites that make reasonable use of webgl that you are using?
How exactly do you disable WebGL? Is it by turning "webgl.disabled" pref to "true"?
Thanks.
|
||
Updated•7 years ago
|
|
Reporter | |
Comment 2•7 years ago
|
||
I normally keep webgl disabled via webgl.disabled in about:config. I've done this out of both known specific practical considerations (accidentally clicking on shadertoy links in a machine without a gaming video card has hung or crashed my browser before) and theoretical ones, both security (attack surface of the GPU/driver) and privacy (fingerprinting) ones. It's recently been reported that Google uses webgl for fingerprinting, so this was not unfounded.
As for reasonable use, I found I wanted to turn it on to access https://gcode.ws, but multiple times now I've forgotten to turn it back off afterwards. This should not be an issue. Features that increase attack surface and fingerprinting capability, and that are not required for normal web-browsing, should require an explicit per-site opt-in, not be buried as global config options.
|
||
Comment 3•7 years ago
|
||
This is handled by the NoScript extension:
https://addons.mozilla.org/en-US/firefox/addon/noscript/
Description
•