Comment by lucian1900

Can you be more specific about what you mean by arbitrary code? I agree the code can be arbitrary GLSL, but what are the actual risks? GLSL doesn't have access to the CPU, network, filesystem, peripherals, or anything other than (indirectly) VRAM, as far as I know. If I'm wrong, please help me understand.

My feeling having written a few GLSL shaders is that the language is already sandboxed by design, making it a safer environment to execute 'arbitrary code' than just about any other viable option. In a shader, I get access only to the input I'm given, and can only affect the color of a pixel, and nothing more.

The 'graphics memory theft' exploit (your 2nd link) cannot have been a primary result of a GLSL exploit, as I understand it. That would have required use of an improperly authorized API call like glGetPixels(), and so arbitrary code execution is not the issue there. WebGL's API design and the browser's sandboxing are accountable -- and anyway, it sounds like that got fixed a long time ago?

The first link says the main risk is crashing, so some sort of DOS attack I suppose. That is true of all computing systems, and also isn't exclusive to arbitrary code execution. I'd speculate it's probably easier to get WebGL to crash using the API than shaders. Either way yes, this is a risk, but not particularly specific to WebGL and not the worst kind of security risk in most environments unless combined with something else. (I grant that crashes in hospital equipment, for example, is a high security risk. Then again, most hospitals don't actually let their sensitive equipment browse the web for a reason.)

What other real risks are there, to the average person surfing the web?

Those 3 links are all to the same issue that was closed long ago and funded by MS as FUD.

There haven't been any real WebGL exploits I know of. No you can't upload arbitrary shaders either. They're validated and then re-written by the browsers.