User: Password:
Subscribe / Log in / New account

Infinite loops in JavaScript

Infinite loops in JavaScript

Posted May 27, 2011 15:44 UTC (Fri) by Simetrical (guest, #53439)
Parent article: WebGL vulnerabilities

It is, in some ways, similar to the problems of malicious, infinitely looping JavaScript, which can lock up a browser (but not generally the whole desktop). Running browser tabs as separate processes, as Chromium does and Firefox is moving to, also mitigates the JavaScript problem to a large extent.

Infinite loops in JavaScript will usually not lock up the whole browser. In Chrome, they usually only lock up the tab. (They might lock up other tabs in some cases, AFAIK, but they'll never lock up the browser UI, so you can always close the offending tab to stop the script.) In Opera, script runs in a separate thread, so the browser remains usable while script in running. IE9 works similarly to Chrome. I don't know about Safari. Firefox's UI does get locked up by script, but they're working on fixing that.

But even when the script does lock up the browser UI, all browsers normally pop up a dialog after a while giving you the chance to stop the script. And in the occasional case where Firefox seems not to do that, restarting the browser is usually a simple and effective solution, since it will remember all the tabs you had open, including (usually?) everything you've entered into forms, etc., and you can choose not to reopen particular tabs if they're causing trouble.

So it's not really comparable in the slightest. As for allowing embedding of cross-origin images in canvas but not giving script access to their content, well, that's usually a bad idea anyway.

(Log in to post comments)

Infinite loops in JavaScript

Posted Jun 10, 2011 0:18 UTC (Fri) by slashdot (guest, #22014) [Link]

A related critical issue is that OpenGL is a huge and extremely complex API with huge and extremely complex drivers, and has never been accessed before by untrusted code.

Hence, I feel it's extremely likely that all current OpenGL drivers are broken and exploitable via WebGL: it would probably be strongly advisable to not enable it by default on Internet sites.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds