tldr: Chrome tried to make it safe to apply SVG filters to iframes by making the filters constant-time (so that their speed doesn’t depend on the content underneath), but it turns out GPU hardware has variable timing anyway.
That’s an astonishingly stupid thing to do. There was an Oakland paper a few (6?) years ago that showed that you could use masks in filters with canvas to leak information because subnormals were vastly slower. In light of that, I find it astonishing that Chrome would permit a feature that looks vulnerable to the same attack without measuring.
Genuine, non-rhetorical question: is this a consequence of Chrome pushing through web standards using their dominant market position? (In other words, have other browsers not caught up, or did they never really buy into this API functionality in the first place?)
No, it’s only a consequence of ’90s Web standards being very naive about cross-site security.
Chrome and everyone else has been trying to balance compatibility and features with security. Since Spectre/Meltdown have shown that the hardware is overcomplicated and leaky, all software protections have become even harder to implement.
tldr: Chrome tried to make it safe to apply SVG filters to iframes by making the filters constant-time (so that their speed doesn’t depend on the content underneath), but it turns out GPU hardware has variable timing anyway.
That’s an astonishingly stupid thing to do. There was an Oakland paper a few (6?) years ago that showed that you could use masks in filters with canvas to leak information because subnormals were vastly slower. In light of that, I find it astonishing that Chrome would permit a feature that looks vulnerable to the same attack without measuring.
Genuine, non-rhetorical question: is this a consequence of Chrome pushing through web standards using their dominant market position? (In other words, have other browsers not caught up, or did they never really buy into this API functionality in the first place?)
No, it’s only a consequence of ’90s Web standards being very naive about cross-site security.
Chrome and everyone else has been trying to balance compatibility and features with security. Since Spectre/Meltdown have shown that the hardware is overcomplicated and leaky, all software protections have become even harder to implement.
This page is a terrible misrepresentation of the claimed attack. Quoting from the site, emphasis mine:
This is a Chrome vulnerability.
Given the market share chrome has, “Likely, yes” is sadly true.
All modern browsers should probably be vulnerable…
Quoting the three criteria from the site: