http://www.v3.co.uk/v3-uk/news/2070101/-cert-alerts-webgl-risks-khronos-plays-security-issues
US-CERT alerts on WebGL risks as Khronos Group plays down security issues
The US Computer Emergency Readiness Team (US-CERT) has added its voice to a warning from an IT consultancy of significant security issues in the new WebGL standard, recommending that web users disable the functionality to mitigate risks.
Context Information Security argued in a detailed blog post that the web standard, which was designed to enable 3D graphics on any computer with a compatible browser, is dangerous because it allows browser content to almost directly access a PC's graphics hardware.
As such, it could allow hackers to launch denial-of-service (DoS) attacks by creating "shader programs", or drawing deliberately complex 3D geometry which causes the GPU hardware to spend a long time rendering.
In addition, it may allow for cross-domain image theft attacks, according to Context Information Security.
http://www.contextis.com/resources/blog/webgl/
WebGL on the other hand provides, by virtue of its functional requirements, access to the graphics hardware. Shader code,
The current work around for this seems to be a driver black list (or in Chrome’s case not running WebGL on Windows XP at all).
(See https://wiki.mozilla.org/Blocklisting/Blocked_Graphics_Drivers). This does not seem to be a very tenable approach long term.
Denial of Service
(see https://www.khronos.org/registry/webgl/specs/1.0/#4.4). Basically because of the almost direct access the WebGL API has to the graphics hardware it is possible to create shader programs or a set of complex 3D geometry which can cause the hardware to spend a significant proportion of its time rendering.
operating system crashing (i.e. Blue Screen of Death).Blue Screen of Death) ( see http://msdn.microsoft.com/en-us/windows/hardware/gg487368.aspx ).
Of course as it is a known issue there are efforts to mitigate it, for example the ANGLE project (http://code.google.com/p/angleproject/) includes a shader validator to eliminate simple infinite loop cases, which is used in Firefox 4 and Chrome.
http://www.contextis.com/resources/blog/webgl/faq/
“You said we should consider disabling WebGL, how exactly would you go about doing that?”
Firefox 4
Type into the URL bar “about:config” and click the “I’ll be careful” button.
Find the setting “webgl.disabled” and set it to true as show in the following picture:
Chrome
For Chrome on Windows pass the flag “--disable-webgl” when running the executable by changing the shortcut in the start menu. A user can right click on the chome shortcut, select properties and add the flag as per the following screenshot.
For Chome on OSX the parameter “—disable-webgl” needs to be added on startup.
following article
http://superuser.com/questions/271678/how-do-i-pass-commandline-arguments-to-dock-items
http://www.v3.co.uk/v3-uk/news/2069210/managers-told-webgl-security-concerns