On Tue, Oct 25, 2011 at 10:07 AM, Dean Jackson <d...@apple.com> wrote: > On 25/10/2011, at 9:49 AM, Adam Barth wrote: >>> Adam's point in the bug is that any operation that can access colour >>> channels might be able to perform a timing attack. This would include SVG >>> filters operating on HTML content without any hardware acceleration. >>> >>> For this reason I'm still tempted to suggest the combination of CSS_FILTERS >>> + WEBGL is enough of a switch for ports to disable this, but I'm happy to >>> add another one. >>> >>> I'm not sure at what point we should take the discussion from this list and >>> onto bugzilla. >> >> I don't believe you understand the security issue. I'd recommend you >> seek the advice of security experts to help you make this decision. > > OK, I'll make sure CSS Shaders has a separate flag which allows ports to turn > it off. But you'll still be susceptible to the same problems with > CSS_FILTERS, and with the current implementation of SVG filters that you > support.
Thanks. I'll flag CSS_FILTERS for further security review. Adam _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
