Comments (7)
KebHelion
commented on May 14, 2024
1
Not extremely intuitive to figure, but I see where you go.
So why not an "Entity Script White List" group of attributes on the zone Entity (Like we have for Keylight, Haze, etc.)
It could be easier to manage.
from vircadia-native-core.
two-one-five
commented on May 14, 2024
This is a really good thought and has been brought up before.
I suppose the question is... How should we approach this at current? One such idea was to place an entity close to wherever a user enters the domain at that has a list of the script URLs to whitelist in it, then it is the domain owner's responsibility to lock it and make sure no one with lock/unlock rights changes that for malicious purposes.
Then basically the client will auto pass those scripts for that domain.
It would also be necessary to make sure no one spoofs that secured object on a public building domain.
from vircadia-native-core.
MarcusLlewellyn
commented on May 14, 2024
Eventually, and hopefully sooner rather than later, I'd like to see the interface behave more like a web browser when it comes to script security. The hurdle there is that we need to replace the Qt script engine with something that has support for security contexts like V8. This way we can run scripts hosted by a domain in a trusted manner in one context, and foreign scripts in a less trusted context.
from vircadia-native-core.
two-one-five
commented on May 14, 2024
Keb, that does seem like a good idea to go with. Being spatially aware instead of domain-aware to determine what scripts run in what context (pass or fail.)
@MarcusLlewellyn that would for sure be a nice way to go once we get that going WRT V8. However, is it not trivially possible for the client to receive that list of trusted domains from the host domain and run them by default? I suppose that's what we're doing by this zone method, and ideally I think using the zone method + a whole domain list would be good because then it allows for better subleasing later since others can elevate their own domains in their own sub-spaces.
from vircadia-native-core.
KebHelion
commented on May 14, 2024
I wonder how it would works...
When we enter in a zone, the entities might be already loaded (currently I think they are), but their script get initially refused to run. Are we going to re-check if some of them need to be started? (Doing this may be not very performant.)
I think we better get this white list at the second we enter on a domain, (from the server), before it starts to deal with scripts. So have this configured on the server.
Can't we call the server to get that list?
from vircadia-native-core.
two-one-five
commented on May 14, 2024
Whitelist is now disabled by default, it has a toggle to enable or disable. Though ways to have the server send a list of trusted domains to the client will still need to be implemented. Probably would not be the hardest thing in the world to do, but that transfer of information needs to be had and registered before the domain's entities load.
from vircadia-native-core.
two-one-five
commented on May 14, 2024
Closing this issue for now because PR 112 takes care of this, if still desired, it would be best to open a PR about expanding the whitelist security capabilities by having security contexts and communication passed from the server, or other ideas like that. :)
from vircadia-native-core.
Related Issues (20)
- Make Interface command - libQt5WebEngineCore.so.5.15.2 not found the error HOT 3
- Vircadia on Linux with Valve Index - Not launching HOT 1
- Perhaps an fps control scheme mode HOT 1
- PowerPC build HOT 4
- Running CMake unable to build HOT 2
- Error in Ubuntu 22 HOT 2
- Add "loadPriority" property to entities. HOT 7
- Entities: Add "tags" to properties for all entities. HOT 1
- Metaverse Login Offline
- RPM avatar cashes the client HOT 2
- Handle Metaverse places endpoint pagination in explore app. HOT 1
- Double the number of silent samples may be written per SilentAudioFrame packet received. HOT 1
- Entities: Add LOD and Load Priority properties to entities. HOT 6
- Entities: Add version property to entities upon creation. HOT 4
- Entity Server: Add option to receive entities in radius alongside existing "camera" method. HOT 1
- Assignment clients should not make metaverse server requests prior to receiving settings from domain server. HOT 3
- ICE server should retrieve the metaverse server URL from the domain server. HOT 1
- Remove unnecessary null pointer checks HOT 3
- usecTimestampNow() returns number of 100ns clock ticks since Unix epoch, not usecs. HOT 1
- error when installing interface HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vircadia-native-core.