>The simplest and most effective solution against a drive-by attack scenario is, in our opinion, to treat GPU access in the browser as a sensitive resource, like microphone or camera access, that requires permission before use. For WebGL and WebGPU, this is not currently the case (Firefox 114, Chrome 115, Chromium 117). This would also prevent malicious parties from stealthily using local computing resources for, e.g., cryptomining.<p>Personally, I've been wanting this for a decade or longer. But WebGL/WebGPU is another vector for fingerprinting, and removing it from the available by default set of APIs would also lower the level of adoption, so I doubt they'll allow to hide it behind a permission.