Update index.md of using textures in webgl

[vasilich-tregub]

Remove the phrase Because WebGL now requires textures to be loaded from secure contexts from index.md of Using textures in WebGL and explain the benefit of possibility to use a plain, unencrypted http server for local development and testing

It is true that Loading of WebGL textures is subject to cross-domain access controls, but there is no mandatory requirement for webgl applications to load textures from secure context sensu stricto. Cross origin requests can be supported with a plain, unencrypted HTTP protocol.

Description

I removed the phrase Because WebGL now requires textures to be loaded from secure contexts and explained that the use of http server is fully legitimate for local development and testing

Motivation

First, the educational resource should not include misleading statements. Second, it is easier to set up a local http server for webgl-example tutorial experiments: compare Python's readily available module http.server and the complexity of configuring SSL for https.server. I examined the use of an unencrypted http server (Python http.server) with samples of the webgl-examples tutorial and confirm that the samples1-8 work as expected.

Additional details

If need be, we can include the reference to W3C document on secure context: https://w3c.github.io/webappsec-secure-contexts/#examples-top-level. A very instructive article on WebGL security considerations see in https://blog.pixelfreestudio.com/webgl-security-best-practices-ensuring-safe-3d-web-experiences/. The document never states that secure context is mandatory for WebGL apps to work but stresses the use of secure context for mitigating risks and vulnerability!

For development of WebGL applications, some guides urge designers to always work in secure context. However, depending on task, this requirement can be weakened. When selecting which server flavor to choose, the rule of thumb: use of https is mandatory when deploying to the web; for local testing and development you can use a plain, unencrypted http server, especially when the development task is not concerned specifically with risk mitigation -- use of http server simplifies setting up the design environment.

Related issues and pull requests

This edit is necessary because the phrase Because WebGL now requires textures to be loaded from secure contexts is replicated in many documents hosted on MDN -- for example, README in the tutorial of webgl-examples, see my closed PR#365 -- and also in broader technical documentation. First, the educational resource should not contain misleading statements; second, the correct understanding of security issues can improve developer's experience when setting up environment for development and testing.

[github-actions]

Preview URLs

• /en-US/docs/Web/API/WebGL_API/Tutorial/Using_textures_in_WebGL

(comment last updated: 2025-12-01 19:02:53)

[vasilich-tregub]

@wbamberg Please help me understand github-actions' (bot) correction: it curtails the full link developer.mozilla.org/en-US/docs/Web/API/WebGL_API/Tutorial/Using_textures_in_WebGL to just /en-US/docs/Web/API/WebGL_API/Tutorial/Using_textures_in_WebGL and then complains that this corrected link is broken: /en-US/docs/Web/Security/Same-origin_policy#file_origins is a redirect, flaw count is 1. What should I do with this edit, if ever?

[wbamberg]

@wbamberg Please help me understand github-actions' (bot) correction: it curtails the full link developer.mozilla.org/en-US/docs/Web/API/WebGL_API/Tutorial/Using_textures_in_WebGL to just /en-US/docs/Web/API/WebGL_API/Tutorial/Using_textures_in_WebGL and then complains that this corrected link is broken: /en-US/docs/Web/Security/Same-origin_policy#file_origins is a redirect, flaw count is 1. What should I do with this edit, if ever?

Hi @vasilich-tregub ! MDN uses relative links for internal pages. See e.g. all the links in https://raw.githubusercontent.com/mdn/content/refs/heads/main/files/en-us/web/security/attacks/index.md .

It's complaining about the redirect because you were unlucky enough to link to the SOP page just before it got moved. It's not related to the bot's update. I added a suggestion that ought to fix it 🤞 .

[vasilich-tregub]

Hi @wbamberg, thank you for explanation, I've got it.
I accept your edit. Should I perform some user action (if any) in the workflow to confirm your edit of links in my PR? I believe I need not do anything as I checked the "Allow edits by maintainers" mark when posting my PR.

[wbamberg]

Should I perform some user action (if any) in the workflow to confirm your edit of links in my PR? I believe I need not do anything as I checked the "Allow edits by maintainers" mark when posting my PR.

You could click "commit this suggestion" but as you note I can do that too, so I did.

[wbamberg]

Thank you! I think this makes sense. I couldn't find any indication that loading textures requires a secure context.

Note though that the fact that it works using a local HTTP server is not evidence that secure context doesn't apply: browsers treat local HTTP servers as secure contexts, to make development easier.

But your explanation of why file:// URLs don't work is plausible to me - it certainly sounds more like a cross-origin restriction than a secure context restriction.

[vasilich-tregub]

Entirely agreed. Verification of "negative" claims, like 'there are no indications that loading textures requires a secure context' is a very exacting task. In practice, you can accept a "negative" claim as true only when a few (if possible, independent) experts agree. Your note about special treatment of local http servers by user agents is significant for development and testing tasks: I found further details in $ 5.2. localhost. Thank you for your time and effort.