The basic axiom of the security model is "If the canvas is write-only, the bound program is secure."
And the rest of the axioms are:
- A new shader is secure
- A new program is secure
- A shader is insecure iff its source has problematic keywords
- A program is insecure iff an insecure shader is attached to it
So the statements we need to hook to are: "the canvas is write-only", "the bound program is secure", "an insecure shader is attached", "source has problematic keywords", "new shader" and "new program".
"New shader" and "new program" are handled by making CreateShader and CreateProgram set the created object as secure.
"Source has problematic keywords" is handled by ShaderSource setting the secure status of the given shader.
"An insecure shader is attached" is handled by LinkProgram, setting the program insecure if any of the attached shaders is insecure (programSec &= shaderSec.) If the program is the bound program and it becomes insecure, bind the null program.
"The canvas is write-only" is handled by TexImage2DHTML and TexSubImage2DHTML. After the call, if the canvas is write-only and the bound program is insecure, bind the null program.
"The bound program is secure" needs to be asserted in the above functions (sans CreateProgram/Shader), and in UseProgram. If the program that we're trying to bind is insecure, throw a security error.
Update: AttachShader -> LinkProgram, attach just adds the shader object to the linked objects (so you can edit it after attaching and before linking. Edits after linking don't affect the program, however.)