11 May 2011

US CERT recommends disabling WebGL

HTML 5 is sometimes seen as a flash killer, because of the new <canvas> tag. <canvas> can be used to draw graphics via scripting (usually JavaScript).
Firefox 4 and Chrome 9 support 3D graphics in  <canvas> through the WebGL API. WebGL is developed by the non-profit Khronos consortium, basically consisting of everybody but Microsoft.
WebGL accesses your hardware driver, giving you hardware acceleration, but also exposing you to a set of vulnerabilities. US CERT now recommends disabling the feature.
To disable WebGL in Firefox, change the preferences:

  1. navigating to the special about:config URL.
  2. promise to be careful on the warning page
  3. type webgl in the filter bar
  4. toggle the webgl:disabled setting to true