WebGL

WebGL
Original author(s) Mozilla Foundation
Developer(s) WebGL Working Group
Stable release 1.0 / March 3, 2011; 11 months ago (2011-03-03)[1]
Operating system Cross-platform
Type API
Website www.khronos.org/webgl
HTML

WebGL (Web-based Graphics Library) is a software library that extends the capability of the JavaScript programming language to allow it to generate interactive 3D graphics within any compatible web browser. WebGL code executes on a computer display card's Graphics Processing Unit (GPU), which must support shader rendering.

WebGL is a context of the canvas HTML element that provides a 3D computer graphics API without the use of plug-ins.[2] The specification was released as version 1.0 on March 3, 2011.[1] WebGL is managed by the non-profit Khronos Group.

Contents

Design

WebGL is based on OpenGL ES 2.0 and provides an API for 3D graphics.[3] It uses the HTML5 canvas element and is accessed using Document Object Model interfaces. Automatic memory management is provided as part of the JavaScript language.[2]

Implementation

Desktop Browsers

Mobile Browsers

Development

WebGL is managed by the non-profit technology consortium Khronos Group. The WebGL working group includes Apple, Google, Mozilla, and Opera.[2] The chair of the working group is Ken Russell.

History

WebGL grew out of the Canvas 3D experiments started by Vladimir Vukićević at Mozilla. Vukićević first demonstrated a Canvas 3D prototype in 2006. By the end of 2007, both Mozilla[12] and Opera[13] had made their own separate implementations.

In early 2009 Mozilla and Khronos started the WebGL Working Group.[14] Version 1.0 of the WebGL specification was released March 2011.[1] WebGL was postulated to have critical security vulnerabilities in May 2011, which would allow denial of service and cross scripting attacks.[15]

Notable early applications include Google Body.[16][17]

Security

In May 2011, security firm Context Information Security published a report that elaborated on a number of security issues present in current Google Chrome and Mozilla Firefox WebGL implementations and inherent to the WebGL specification. According to the report, WebGL fundamentally allows Turing-complete programs originating from the Internet to reach kernel-mode graphics drivers and graphics hardware. The report also provided references to example exploits of the security issues capable of causing denial of service and cross-domain image theft. The report concluded that "browsers that enable WebGL by default put their users at risk to these issues."[15]

Later, based on this report, the United States Computer Emergency Readiness Team (US-CERT) issued a warning that "WebGL contains multiple significant security issues. The impact of these issues includes arbitrary code execution, denial of service, and cross-domain attacks." US-CERT also encouraged "users and administrators to review the Context report and disable WebGL to help mitigate the risks."[18]

The Khronos Group, an API design consortium which includes Mozilla and Google, responded to the concern by suggesting possible solutions and a future development approach.[19] After reviewing the Context report, Mozilla decided to disable support for cross-domain images in Firefox; meanwhile, the Khronos Group has been updating the WebGL specification to enhance protection against denial-of-service and cross-origin resource sharing attacks.[20] At this time, the proposed solutions are still in development, and not ubiquitously deployed by GPU vendors.[21]

Context was not satisfied with the Khronos Group's approach of incrementally fixing WebGL and described the method as not addressing the design flaw.[22] In a follow-up report, Context provided more demonstrations of security vulnerabilities in the latest WebGL implementations on multiple platforms. Symptoms ranged from system crashing to screenshot leaking. They continued to question whether WebGL "was specified, designed and implemented with security in mind".[20]

In June 2011, Microsoft announced that they could not endorse WebGL in its current form from a security perspective. Analysis performed by its MSRC Engineering team concluded that WebGL support in Microsoft products would have difficulty in meeting the requirements of the Security Development Lifecycle, the software security standards internally enforced in Microsoft. Specifically, Microsoft cited overly permissive exposure of hardware functionality, heavy reliance on third parties to secure web experience, and unproven denial-of-service protection capabilities as their key concerns.[23]

Apple has indicated that they will not open WebGL to general Internet pages in iOS 5. WebGL will only be available through iAds which needs to go through approval for each implementation by Apple.[24]

Notable independent graphic and security experts have weighed in reinforcing that WebGL is a severe security risk and will be hard to secure, including John Carmack[25] and Dan Kaminsky.[26]

Mozilla's vice president of technical strategy Mark Shaver rejected Microsoft's criticism. In a blog post, he wrote that Mozilla was working to address issues in the WebGL specification and Firefox's implementation. He emphasized that the web needs 3D capabilities and claimed that security issues are a natural part of a new technology. He commended Microsoft's work on the Direct3D API used in Silverlight 5, which he considered robust, but added that the same technology could be carried over to a Microsoft implementation of WebGL.[27]

Developer libraries

There are several libraries for WebGL development. The WebGLU library was the first to be made publicly available.[28] Other libraries incorporating WebGL include GLGE, C3DL, Copperlicht, SpiderGL, PhiloGL, gwt-g3d – G3D (WebGL wrapper) for GWT (Google Web Toolkit), SceneJS, X3DOM, Oak3D, Processing.js, Three.js, Turbulenz, OSGJS, XB PointStream and CubicVR.js.

ANGLE (Almost Native Graphics Layer Engine) is an ongoing open source project released under the BSD license that allows translating WebGL content OpenGL ES 2.0 API calls to DirectX 9 API calls on Microsoft Windows platforms without the need for separate OpenGL drivers. In November 2011 ANGLE has reached an important milestone: it now passes the rigorous OpenGL ES 2.0 test suite and has been certified as a compliant GL ES 2.0 implementation.[29]

Content creation

A way for artists to create WebGL scenes without programming is to use a content creation tool such as Blender or Autodesk Maya. The scenes are then exported to WebGL. This was first possible with Inka3D, a WebGL export plugin for Maya.

Sample renderings

See also

References

  1. ^ a b c "Khronos Releases Final WebGL 1.0 Specification". http://www.khronos.org/news/press/releases/khronos-releases-final-webgl-1.0-specification. Retrieved 3 March 2011. 
  2. ^ a b c "WebGL - OpenGL ES 2.0 for the Web". Khronos.org. http://www.khronos.org/webgl/. Retrieved 2011-05-14. 
  3. ^ "WebGL Specification". Khronos.org. http://www.khronos.org/registry/webgl/specs/latest/. Retrieved 2011-05-14. 
  4. ^ http://www.mozilla.com/en-US/firefox/4.0/releasenotes/
  5. ^ http://www.fiercecio.com/techwatch/story/google-releases-chrome-9-comes-google-instant-webgl/2011-02-08
  6. ^ http://fairerplatform.com/2011/05/new-in-os-x-lion-safari-5-1-brings-webgl-do-not-track-and-more/
  7. ^ http://my.opera.com/desktopteam/blog/2011/10/13/introducing-opera-12-alpha
  8. ^ suihkulokki (2010-06-07). "WebGL on N900". Suihkulokki.blogspot.com. http://suihkulokki.blogspot.com/2010/06/webgl-on-n900.html. Retrieved 2011-05-14. 
  9. ^ Halevy, Ronen. "PlayBook OS 2.0 Developer Beta Includes WebGL, Flash 11, & AIR 3.0". BerryReview. http://www.berryreview.com/2011/10/18/playbook-os-2-0-developer-beta-includes-webgl-flash-11-air-3-0/. Retrieved 15 November 2011. 
  10. ^ iclkevin (2011-11-12). "WebGL on Mobile Devices". iChemLabs. http://www.ichemlabs.com/1375. Retrieved 2011-11-25. 
  11. ^ "Xperia™ phones first to support WebGL™— Developer World". blogs.sonyericsson.com. The Sony Ericsson Developer Program. November 29, 2011. http://blogs.sonyericsson.com/wp/2011/11/29/xperia-phones-first-to-support-webgl/. Retrieved December 5, 2011. 
  12. ^ "Canvas 3D: GL power, web-style". Blog.vlad1.com. http://blog.vlad1.com/2007/11/26/canvas-3d-gl-power-web-style/. Retrieved 2011-05-14. 
  13. ^ "Taking the canvas to another dimension". My.opera.com. 2007-11-26. http://my.opera.com/timjoh/blog/2007/11/13/taking-the-canvas-to-another-dimension. Retrieved 2011-05-14. 
  14. ^ "Khronos Details WebGL Initiative to Bring Hardware-Accelerated 3D Graphics to the Internet". Khronos.org. 2009-08-04. http://www.khronos.org/news/press/releases/khronos-webgl-initiative-hardware-accelerated-3d-graphics-internet. Retrieved 2011-05-14. 
  15. ^ a b Forshaw, James (2011-05-08). "WebGL - A New Dimension for Browser Exploitation". Context Information Security. http://www.contextis.com/resources/blog/webgl/. Retrieved 2011-05-11. 
  16. ^ "Google Body - Google Labs". Bodybrowser.googlelabs.com. http://bodybrowser.googlelabs.com. Retrieved 2011-05-14. 
  17. ^ Bhanoo, Sindya N. (2010-12-23). "New From Google: The Body Browser". Well.blogs.nytimes.com. http://well.blogs.nytimes.com/2010/12/23/new-from-google-the-body-browser/. Retrieved 2011-05-14. 
  18. ^ "WebGL Security Risks". US-CERT. 2011-05-10. http://www.us-cert.gov/current/archive/2011/05/10/archive.html#web_users_warned_to_turn. Retrieved 2011-05-11. 
  19. ^ "WebGL - Security". Khronos Group. 2011-06-17. http://www.khronos.org/webgl/security/. Retrieved 2011-06-19. 
  20. ^ a b "WebGL – More WebGL Security Flaws". Context Information Security. 2011-06-16. http://www.contextis.com/resources/blog/webgl2/. Retrieved 2011-06-16. 
  21. ^ "WebGL Security". Khronos Group. 2011-05-09. http://www.khronos.org/news/permalink/webgl-security. Retrieved 2011-05-11. 
  22. ^ "Context WEbGL security FAQ". Context Information Security. http://www.contextis.com/resources/blog/webgl/faq/. Retrieved 2011-05-16. 
  23. ^ "WebGL Considered Harmful". Microsoft. 2011-06-16. http://blogs.technet.com/b/srd/archive/2011/06/16/webgl-considered-harmful.aspx. Retrieved 2011-06-16. 
  24. ^ "Microsoft, Apple Dis WebGL". InformationWeek. 2011-06-16. http://www.informationweek.com/news/security/vulnerabilities/230800086. Retrieved 2011-06-20. 
  25. ^ Carmack, John (2011-06-17). "Tweet". http://twitter.com/#!/ID_AA_Carmack/status/81732190949486592. Retrieved 2011-06-20. 
  26. ^ Kaminsky, Dan (2011-06-16). "Tweet". http://twitter.com/#!/dakami/status/81512002912141314. Retrieved 2011-06-20. 
  27. ^ "Mozilla rejects Microsoft criticism of WebGL". The Inquirer. 2011-06-20. http://www.theinquirer.net/inquirer/news/2080571/mozilla-rejects-microsoft-criticism-webgl. Retrieved 2011-06-29. 
  28. ^ Benjamin DeLillo (2009-10-02). "First WebGLU release". Bjartr.blogspot.com. http://bjartr.blogspot.com/2009/10/more-webgl-progress-now-with-video.html. Retrieved 2011-05-14. 
  29. ^ Chromium Blog: OpenGL ES 2.0 Certification for ANGLE

External links

Standards of The Khronos Group
COLLADA · EGL · OpenCL · OpenGL · OpenGL ES · OpenGL SC · OpenKODE · OpenMAX · OpenML · OpenSL ES · OpenVG · OpenWF · WebGL