Coffeehouse Thread

48 posts

Microsoft -- Why no WebGL?

Back to Forum: Coffeehouse
  • User profile image
    IDWMaster

    , evildictaitor wrote

    Or this one, which still crashes my NVidia graphics drivers (part of which run in ring0, and hence Chrome's sandbox it just window dressing).

    https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/extra/lots-of-polys-example.html

    Whoa! That certainly shows a problem with BOTH Google Chrome's and NVidia's implementations!  It's really annoying that a website can cause a computer to freeze like that. Google Chrome should work with NVIdia to fix that bug! However, the vulnerability isn't indicative of a flaw in WebGL or OpenGL itself, but instead indicates a crucial vulnerability in the implementation of the specification. 

    , evildictaitor wrote

    *snip*

    It also needs you to put your identity into the webpage for it to steal it. A ring-zero exploit in WebGL needs no such user-interaction. It can just install a driver and steal all of your keystrokes and files directly to the russian hackers that installed it.

    WebGL can easily be disabled from a command line option passed into most WebGL compliant browsers. Also; who says that WebGL HAS to run whenever a page requests it? Couldn't browsers make it so the user is required to OK the use of WebGL before it runs on the system? There's nothing that says that a browser can't do this.

  • User profile image
    IDWMaster

    Another thing I would like to point out is that if Microsoft completely kills the desktop, users will then be stuck with Internet Explorer as the only browser, and will not be able to choose any other browser (Metro doesn't support runtime compilation of code, so there will be no way to make a reasonably performant browser for it).

  • User profile image
    blowdart

    , IDWMaster wrote

    Another thing I would like to point out is that if Microsoft completely kills the desktop, users will then be stuck with Internet Explorer as the only browser, and will not be able to choose any other browser (Metro doesn't support runtime compilation of code, so there will be no way to make a reasonably performant browser for it).

    Umm how does that conclusion work, especially as Firefox is building a Metro browser

     

  • User profile image
    Larry Osterman

    This was asked and answered 6 months ago on the SRD blog:

    webgl considered harmful

     

    The key point of the blog post: Silverlight and your web browser were hardened against attacks because they were designed to run in a hostile environment.  The graphics driver for your display adapter wasn't.

  • User profile image
    Larry Osterman

    , IDWMaster wrote

    WebGL can easily be disabled from a command line option passed into most WebGL compliant browsers. Also; who says that WebGL HAS to run whenever a page requests it? Couldn't browsers make it so the user is required to OK the use of WebGL before it runs on the system? There's nothing that says that a browser can't do this.

    A prompt doesn't help - the prompt would be "Do you want to see the 3d dancing bunnies?"  And there is only one reasonable answer to that prompt: Yes.  Because the user ALWAYS wants to see the dancing bunnies.

  • User profile image
    Larry Osterman

    , Bass wrote

    @PaoloM:

    If you want to pop off on me about that, go right ahead. I don't care. The fact is WebGL is advertised as a web standard, and that's what I am going to call it.

     

    I personally like the IETF definitions. There are two kinds of standards: Informational ones and standards track ones.  The informational standards are invariably proprietary protocols where the owner of the protocol wants to document the protocol.  The standards track protocols are created by doing the work of gaining consensus on the design and implementation of a protocol.  

    Do the WebGL folks allow people to contribute to their standard?

  • User profile image
    magicalclick

    I much prefer to install separate ActiveX controls to play 3D games on the browser, like many 3D web games on the market. When the game crashed my PC, at least I know it is the game at fault, not because the browser failed to display 3D rendering on a web page. I would contact the game dev instead of the browser dev.

    And a dedicated ActiveX 3D game engine is actually way more safer than WebGL. Normally a 3D game engine would only take harmless data such as texture and mesh. Not something that you feed into WebGL that could potentially freeze your PC.

    Again, if you want to use WebGL, use other browsers. And when it crashed your PC while rendering a 3D looking advertisement, remember to use IE9 or use command prompt to disable WebGL.

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • User profile image
    AndyC

    , IDWMaster wrote

    *snip*

    Whoa! That certainly shows a problem with BOTH Google Chrome's and NVidia's implementations!  It's really annoying that a website can cause a computer to freeze like that. Google Chrome should work with NVIdia to fix that bug! However, the vulnerability isn't indicative of a flaw in WebGL or OpenGL itself, but instead indicates a crucial vulnerability in the implementation of the specification. 

    The implementation is correct according to the WebGL spec. The "fix" is that graphics card manufacturers have to identify the situation when data is passed to the OpenGL layer and reset the graphics card if it's going to lock up.

    And that is a long way from being the worst example, browser independent data-theft has been demonstrated on numerous occasions simply because the spec almost entirely ignores the possibility that it might be misused and the onus for any issue just gets the "oh, well OpenGL drivers will have to be fixed to stop that" response. Quite how that's supposed to help any implementation not running on OpenGL seems lost on them.

    *snip*

    WebGL can easily be disabled from a command line option passed into most WebGL compliant browsers. Also; who says that WebGL HAS to run whenever a page requests it? Couldn't browsers make it so the user is required to OK the use of WebGL before it runs on the system? There's nothing that says that a browser can't do this.

    Imagine, just for one second, what your browsing experience would be like if that becomes the answer to difficult questions:

    This page uses image tags - Allow/Deny
    This page uses video tags - Allow/Deny
    This page uses downloadable fonts - Allow/Deny
    This page uses bold text - Allow/Deny
    This page uses Javascript that modifies the page - Allow/Deny
    This page uses Javascript that contacts a server - Allow/Deny

    ....

    some time later and several hundred prompts later, you finally get to see the page. Alas it didn't have the information you want so now you're going to have to repeat the whole process to look at another page. And that's leaving aside the issue Larry mentions, that users don't care what the prompt says they just click through to get to the thing they wanted to see in the first place, whilst cursing the browser for being stupid.

  • User profile image
    evildictait​or

    , IDWMaster wrote

    It's really annoying that a website can cause a computer to freeze like that.

    That's not your computer freezing. That's your graphics card driver crashing. It's also not a bug in WebGL. It's a bug in your drivers. WebGL as Bass keeps reminding us is well written. NVidia and Intel drivers as I keep reminding him are not.

    That particular bug is a DoS, so it can't be used to steal data from your machine, but other bugs are not a denial of service and will allow a malicious website to take control of your system - and it comes completely free with a jump out of the browser's sandbox, because the crash isn't in your browser. It's in your graphics driver.

  • User profile image
    Bass

    , Larry Osterman wrote

    *snip*

    I personally like the IETF definitions. There are two kinds of standards: Informational ones and standards track ones.  The informational standards are invariably proprietary protocols where the owner of the protocol wants to document the protocol.  The standards track protocols are created by doing the work of gaining consensus on the design and implementation of a protocol.  

    Do the WebGL folks allow people to contribute to their standard?

    Larry,


    This is not a small unknown consortium.

    This is just a few of the companies that drive the Khronos Group:

    Apple, Google, ARM, Epic Games, Freescale, Imagination Graphics, Intel, Nokia, Oracle, Sony, Ericsson, Nvidia, AMD, Samsung, Qualcomm, Texas Instruments, Adobe, Mozilla, NEC, Opera, Toshiba, Accenture, Creative Labs, Electronic Arts, Fujitsu, HTC, IBM, Motorola, Panasonic, Broadcom, Yamaha.

    The Khronos Group is the defacto standards body for computer graphics, just like the IETF is for the Internet.

    Conspicuously missing from Khronos membership is Microsoft of course. But it's basically everyone minus Microsoft. So my question would be why is Microsoft not interested in working with the rest of the technology industry in advancing the state of computer graphics?

  • User profile image
    magicalclick

    @Bass:

    Well, MS could easily join the group and still contribute nothing. Tongue Out They should have done that to avoid debates.

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • User profile image
    Craig_​Matthews

    I just wish everyone would stop trying to shove everything into a fracking web browser. I already have an operating system installed. I don't need another one on top of it where my "apps" run.

    This is beyond ridiculous, to the point where now one can click "Add bookmark to web browser start page" and declare themselves an "app developer" because they created a bookmark to yahoo.com and have a nice big icon for it when their browser starts, and clicking on the bookmark opens it full screen. "ooohh..an app"

    I certainly don't need web pages setting bits in ring 0 code. WTF I swear the entire Internet has gone stupid. Well, I guess that goes without saying.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.