|
Chris Maunder wrote: We're more than happy to post live javascript in your article.
It would probably make sense to host the user-provided code in a sandboxed iframe , and serve it up from a different domain, just in case anything slips through.
Also, if possible, it should run on demand rather than when the page loads.
I know it's a dirty word around here, but StackOverflow's implementation is quite nice:
http://blog.stackoverflow.com/2014/09/introducing-runnable-javascript-css-and-html-code-snippets/[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
That's a slick implementation but I worry that it still opens up security issues. "Run code snippet" is a very inviting button to press, and for the uninitiated it could lead to trouble.
SO's community moderation is extremely tight, though, so damage would be short lived due to the snippet being closed down quickly.
And no, Stackoverflow isn't a dirty word. They just do things different.
cheers
Chris Maunder
|
|
|
|
|
Keeping the script in a sandboxed iframe served from a separate domain would at least prevent a malicious script from stealing any cookies, or forging requests to the site from my login.
I know the plan is to have the hamsters vet the script before it makes it onto the site, but they might not catch everything.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Guys, you can simply inspect the code, honestly, very clear and pretty short, and see that it does not do anything except accessing the browser's screen. Not using DirectX is already a big safety measure.
Chris, you told me that I won't have any access to the published resources (I guess, first of all, because there is no such public mechanism), so what's the problem?
Just for a record, that was not me who put forward the idea of having the life game published as well.
Thank you.
—SA
Sergey A Kryukov
|
|
|
|
|
I wasn't suggesting that your code would be malicious.
My concern is that, if it becomes commonplace to have user-supplied javascript running within an article, there will inevitably be some toerag who manages to slip malicious code past the hamsters. It's better to take steps to limit the potential damage now, rather than after the event.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Sure, I know that. Please see my other comments.
—SASergey A Kryukov
|
|
|
|
|
That's a good point. The key is the possible scale or severity of the disaster and some sanity. In such a technology as JavaScript, designed for safety if first place (until it was completely spoiled with something like ActiveX component embedding), human-driven moderation can be reliable enough.
But I understand that you probably discuss the possibility of allowing publishing of JavaScript by default, as a potentially massive act performed by any user. Here I would be much more careful and doubtful. Imagine that the destructive attack is found and performed massively and on purpose. Then even the fully reversible and limited damage can present a problem. Don't forget that trivial but massive spamming attack partially paralyzed work for a while, just because real questions were not easy to spot.
—SASergey A Kryukov
|
|
|
|
|
Looks like an interesting technique anyway. Thank you for sharing.
—SASergey A Kryukov
|
|
|
|
|
Chris,
Everything goes well. The CodeProject member published the game on the 3rd-party site already removed it on my request; I checked it up. That's good.
I updated both the article and the code; added links to the help box: 1) to my original CodeProject article, 2) to the article on original game, 3) to the license, 4) to the info on contributors, also including, in particular, all of the above links. You may want to review it.
In connection to that, I also added to the article new version of code and 1) version information with explanation of the last version changes, 2) the ideas on future development, 3) TOC, 4) minor fixes.
Now, preparing the life copy is reduced (as a minimum) to just unpacking of the ZIP I uploaded (all 5 files are used), preferably in a separate directory on a server, apparently making the file "index.html" the default/index file of this directory, so the link could be the directory-like. And please tell me this link. That's all: Tetris on Canvas[^].
Will it work based on that?
Thank you very much.
—SASergey A Kryukov
|
|
|
|
|
|
|
Thought I recognised that ugly face!
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
Blog post closed, and member gone.
The quick red ProgramFOX jumps right over the Lazy<Dog> .
|
|
|
|
|
gone
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Spam[^] mer[^]
Geek code v 3.12
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- r++>+++ y+++*
Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Message processed.Member on 6.
"When you don't know what you're doing it's best to do it quickly"- SoMad
|
|
|
|
|
|
This is elegant pretty clear notation, spam -mer . It resembles the bra-ket notation (<φ|ψ>) for quantum states introduced by Paul Dirac
Congratulations!
—SASergey A Kryukov
|
|
|
|
|
It is practical - reporting hundreds of spam/spammers couples can be pretty tiring on the fingers, plus I hate typos as "spma and spamemr" or worst
Geek code v 3.12
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- r++>+++ y+++*
Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Spam[^] and stooge[^]
Geek code v 3.12
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- r++>+++ y+++*
Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Spam deleted, spammer on 6
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
|
|
last kick applied.
|
|
|
|
|