Asset protection for glTF


Was wondering what khronos suggests wrt protection of glTF assets that are made available on the web for various apps. (eCommerce, eLearning …). I read posts suggesting html5 style EME ( Encrypted Media Extensions ) might be the way to go. I don’t see any reference to this in khronos materials though. Any practical implementations that make sense ?. cryptojs ?. Something that works with Google’s model-viewer and/or threejs would be a good starting point.


This question comes up periodically on three.js forums. For example:

In short, if you display a 3D model in a user’s web browser, then a determined user will always be able to download that 3D data. You can make this difficult (obfuscation) or illegal (copyright) but you cannot entirely prevent it, because you’re uploading data and instructions for rendering it to a GPU the user owns and controls.

Within those constraints, the delivery format (glTF or anything else) makes little difference — whatever encryption or obfuscation you apply to the transmitted model, it will need to be geometry, textures, and shaders for the GPU in the end.

Thanks for your response Don. We have got to develop a solution to protect the assets. Otherwise the incentive is weakened. DRM seems to have solved this considerably for Video.
Google’s widevine
Microsoft’s playready

Hopefully khronos & the eco-system can also solve this. Understand and accept that a “determined hacker” could eventually get at the assets via GPU buffers etc. But hopefully it is hard for a casual hacker.


Yeah, but that generally requires the playback system to be using very specific software. glTF is an open format, and anyone can write an application that can load and comprehend any glTF file. That’s kind of the whole point of the thing.

The whole point of DRM is kind of the opposite of that.

If someone wants to transmit glTF to a user through some form of encryption intermediary, that’s fine. But I don’t think it should be glTF’s responsibility to create such a thing.


It does’nt have to be a part of the glTF standard. But protecting glTF assets will address the obvious economic issue that development/deployment of “valuable” assets on the open-web will be hindered unless they are protected. Basic economics right.

Since HTML5 endorsed EME, it enabled commercial video (Netflix, Amazon Prime etc).

Hope it made sense.