Chrome 13 Stops Using Cross-domain Images in WebGL, Adopts CORS

In May this year, US-CERT and Context raised a flag over WebGL security, followed by Microsoft announced of abandoning the WebGL. As a result, the WebGL specification was updated to be more restrictive when it comes to using cross-domain images and videos as WebGL textures.The Chrominum team today announced that "Chrome 13 and Firefox 5 […]

In May this year, US-CERT and Context raised a flag over WebGL security, followed by Microsoft announced of abandoning the WebGL. As a result, the WebGL specification was updated to be more restrictive when it comes to using cross-domain images and videos as WebGL textures.

The Chrominum team today announced that "Chrome 13 and Firefox 5 will no longer allow cross-domain media as a WebGL texture." "The default behavior will be a DOM_SECURITY_ERR. However, applications may still utilize images and videos from another domain with the cooperation of the server hosting the media, otherwise known as CORS," noted the Chromium team.

"Unfortunately, this new restriction in WebGL means that some existing content will break. We've already started working with external image and video hosting services like Flickr to evangelize the use of CORS on their images," stated Chromium team.

"CORS support for MediaElements has also been fully implemented in WebKit by setting a new .crossOrigin attribute. This means that sophisticated apps that were using cross-origin textures before, can continue to do so, assuming the hosting image server grants the necessary cross-origin permission using CORS," explained Chromium team.

"Another nice property that we gain from this new setting is the ability to read cross-domain image data set on a 2D canvas. Normally, filling a canvas with a remote image (e.g. ctx.drawImage()) flips the origin-clean flag to false. Attempting to read back the pixels using ctx.toDataURL() or ctx.getImageData() throws a SECURITY_ERR. This's to prevent information leakage. However, when .crossOrigin is set (and the remote server supports CORS), the read is possible."

You can test this new behavior today using images from Picasa, which already sends a CORS header allowing cross-origin requests, and the Chrome dev channel.

[Source: Chromium Blog]