Is gltf/glb secure at cross domain usage - any risks?

I am wondering how to make my customer absolutely sure, that there is no risks attached by using gltf or glb while rendering a cross domain source?

(Are there any loop holes for hackers)

Could you share more specifically what is being fetched over cross-origin request (CORS)? Is that the glTF/GLB file, the JavaScript libraries used to render it, or both? Do you and your customer control or trust ownership of the domain, and of the files being requested?


Disclaimer: Personal opinion below, and does not represent advice from Khronos or from my employer.

Most simply, the glTF specification does not provide for any sort of scripting language — doing so would be a security red flag. A properly-implemented glTF viewer can safely display a valid glTF file.

That said, there are always some risks involved in loading a file whose origins you do not trust (see this exploit with simple image files) and additional steps would be advisable for use on any sensitive domain. If that applies to your customer:

Personally I would be comfortable with any one of those, except on an extremely sensitive domain where you might do more. These are the types of exploits that library and browser authors are actively looking for on your behalf1, and to my knowledge no such exploit has ever been discovered in a glTF viewer.

If you are accepting glTF uploads from untrusted users, it would also be a good idea to make use of the official glTF validator software.

1 As opposed to XSS and SQL injection attacks, which always require due diligence on the part of the web developer to prevent.