Microsoft -- Why no WebGL?

4 hours ago, evildictaitor wrote

Or this one, which still crashes my NVidia graphics drivers (part of which run in ring0, and hence Chrome's sandbox it just window dressing).

https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/extra/lots-of-polys-example.html

Whoa! That certainly shows a problem with BOTH Google Chrome's and NVidia's implementations!  It's really annoying that a website can cause a computer to freeze like that. Google Chrome should work with NVIdia to fix that bug! However, the vulnerability isn't indicative of a flaw in WebGL or OpenGL itself, but instead indicates a crucial vulnerability in the implementation of the specification. 

3 hours ago, evildictaitor wrote

*snip*

It also needs you to put your identity into the webpage for it to steal it. A ring-zero exploit in WebGL needs no such user-interaction. It can just install a driver and steal all of your keystrokes and files directly to the russian hackers that installed it.

WebGL can easily be disabled from a command line option passed into most WebGL compliant browsers. Also; who says that WebGL HAS to run whenever a page requests it? Couldn't browsers make it so the user is required to OK the use of WebGL before it runs on the system? There's nothing that says that a browser can't do this.

Another thing I would like to point out is that if Microsoft completely kills the desktop, users will then be stuck with Internet Explorer as the only browser, and will not be able to choose any other browser (Metro doesn't support runtime compilation of code, so there will be no way to make a reasonably performant browser for it).

I much prefer to install separate ActiveX controls to play 3D games on the browser, like many 3D web games on the market. When the game crashed my PC, at least I know it is the game at fault, not because the browser failed to display 3D rendering on a web page. I would contact the game dev instead of the browser dev.

And a dedicated ActiveX 3D game engine is actually way more safer than WebGL. Normally a 3D game engine would only take harmless data such as texture and mesh. Not something that you feed into WebGL that could potentially freeze your PC.

Again, if you want to use WebGL, use other browsers. And when it crashed your PC while rendering a 3D looking advertisement, remember to use IE9 or use command prompt to disable WebGL.

6 hours ago, IDWMaster wrote

*snip*

Whoa! That certainly shows a problem with BOTH Google Chrome's and NVidia's implementations!  It's really annoying that a website can cause a computer to freeze like that. Google Chrome should work with NVIdia to fix that bug! However, the vulnerability isn't indicative of a flaw in WebGL or OpenGL itself, but instead indicates a crucial vulnerability in the implementation of the specification. 

The implementation is correct according to the WebGL spec. The "fix" is that graphics card manufacturers have to identify the situation when data is passed to the OpenGL layer and reset the graphics card if it's going to lock up.

And that is a long way from being the worst example, browser independent data-theft has been demonstrated on numerous occasions simply because the spec almost entirely ignores the possibility that it might be misused and the onus for any issue just gets the "oh, well OpenGL drivers will have to be fixed to stop that" response. Quite how that's supposed to help any implementation not running on OpenGL seems lost on them.

*snip*

WebGL can easily be disabled from a command line option passed into most WebGL compliant browsers. Also; who says that WebGL HAS to run whenever a page requests it? Couldn't browsers make it so the user is required to OK the use of WebGL before it runs on the system? There's nothing that says that a browser can't do this.

Imagine, just for one second, what your browsing experience would be like if that becomes the answer to difficult questions:

This page uses image tags - Allow/Deny
This page uses video tags - Allow/Deny
This page uses downloadable fonts - Allow/Deny
This page uses bold text - Allow/Deny
This page uses Javascript that modifies the page - Allow/Deny
This page uses Javascript that contacts a server - Allow/Deny

....

some time later and several hundred prompts later, you finally get to see the page. Alas it didn't have the information you want so now you're going to have to repeat the whole process to look at another page. And that's leaving aside the issue Larry mentions, that users don't care what the prompt says they just click through to get to the thing they wanted to see in the first place, whilst cursing the browser for being stupid.

10 hours ago, IDWMaster wrote

It's really annoying that a website can cause a computer to freeze like that.

That's not your computer freezing. That's your graphics card driver crashing. It's also not a bug in WebGL. It's a bug in your drivers. WebGL as Bass keeps reminding us is well written. NVidia and Intel drivers as I keep reminding him are not.

That particular bug is a DoS, so it can't be used to steal data from your machine, but other bugs are not a denial of service and will allow a malicious website to take control of your system - and it comes completely free with a jump out of the browser's sandbox, because the crash isn't in your browser. It's in your graphics driver.

16 hours ago, Larry Osterman wrote

*snip*

I personally like the IETF definitions. There are two kinds of standards: Informational ones and standards track ones.  The informational standards are invariably proprietary protocols where the owner of the protocol wants to document the protocol.  The standards track protocols are created by doing the work of gaining consensus on the design and implementation of a protocol.  

Do the WebGL folks allow people to contribute to their standard?

Larry,

This is not a small unknown consortium.

This is just a few of the companies that drive the Khronos Group:

Apple, Google, ARM, Epic Games, Freescale, Imagination Graphics, Intel, Nokia, Oracle, Sony, Ericsson, Nvidia, AMD, Samsung, Qualcomm, Texas Instruments, Adobe, Mozilla, NEC, Opera, Toshiba, Accenture, Creative Labs, Electronic Arts, Fujitsu, HTC, IBM, Motorola, Panasonic, Broadcom, Yamaha.

The Khronos Group is the defacto standards body for computer graphics, just like the IETF is for the Internet.

Conspicuously missing from Khronos membership is Microsoft of course. But it's basically everyone minus Microsoft. So my question would be why is Microsoft not interested in working with the rest of the technology industry in advancing the state of computer graphics?

@Bass:

Well, MS could easily join the group and still contribute nothing. They should have done that to avoid debates.

I just wish everyone would stop trying to shove everything into a fracking web browser. I already have an operating system installed. I don't need another one on top of it where my "apps" run.

This is beyond ridiculous, to the point where now one can click "Add bookmark to web browser start page" and declare themselves an "app developer" because they created a bookmark to yahoo.com and have a nice big icon for it when their browser starts, and clicking on the bookmark opens it full screen. "ooohh..an app"

I certainly don't need web pages setting bits in ring 0 code. WTF I swear the entire Internet has gone stupid. Well, I guess that goes without saying.