Closed LegNeato closed 12 months ago
For example, can you create a display list that causes WebRender to OOM?
Yes, and you can also create web pages that causes these display lists in Gecko.
I think that webrender should be pretty safe in terms of not letting malicious display lists cause arbitrary code execution and similar types of security exploits, but you can easily get it to crash by throwing too much content at it or asking it to allocate resources that are too large.
The serialized display lists produced by the gecko content process that are consumed by the GPU/Parent process are considered untrusted.
Ok, thanks!
What are the security implications of letting end users / untrusted users feed display lists into WebRender? Obviously in Firefox Gecko is trusted so I am not sure if the design takes into account potential security issues. For example, can you create a display list that causes WebRender to OOM?
Apologies if this is in the docs, I could not find information about it.