Opened 8 years ago

Closed 8 years ago

#3101 closed defect (fixed)

Disable WebGL

Reported by: mikeperry Owned by: mikeperry
Priority: Very High Milestone:
Component: TorBrowserButton Version:
Severity: Keywords: MikePerryIteration20110529
Cc: Actual Points: 3
Parent ID: Points: 3
Reviewer: Sponsor:

Description (last modified by mikeperry)

WebGL sure seems like it can be used to extract a whole lot of capability info about your video card.. Most modern cards should have all the capabilities, so maybe it isn't as bad as it looks, but who knows?

If nothing else, WebGL may be usable to fingerprint rendering performance.

We may need another panopticlick study to be sure.

Child Tickets

Change History (7)

comment:1 Changed 8 years ago by mikeperry

Description: modified (diff)

comment:2 Changed 8 years ago by mikeperry

If we do decide to disable it, we should put it under a "Super Paranoid" slider option from #3100 that isn't on by default. I personally dislike simply breaking web features by default unless we have really really good reason.

comment:3 Changed 8 years ago by mikeperry

Priority: normalcritical

Actually, I'm changing my mind on this. It is easy to disable. Just set webgl.enabled = false.

We should disable it until we can investigate more.

comment:4 Changed 8 years ago by mikeperry

Keywords: MikePerryIteration20110529 added
Points: 3

Giving this more points because I should review and enumerate the specific API calls that concern me. I am also going to see if JS hooking is sufficient to make the APIs lie.

comment:6 Changed 8 years ago by mikeperry

Sounds like we want to disable this for now. Probably will save us quite a few headaches wrt vulnerabilities as this whole thing shakes out.

But otherwise, it looks like the main things we'd need to look into:

getParameter() specifically RENDERER, VENDOR, VERSION, and VIEWPORT.
getSupportedExtensions() and getExtension()
getContextAttributes() mostly for the display depth..

comment:7 Changed 8 years ago by mikeperry

Actual Points: 3
Resolution: fixed
Status: newclosed
Summary: Consider disabling WebGL?Disable WebGL
Note: See TracTickets for help on using tickets.