Some more thoughts...
Banjo wrote:
I still think this is an important issue to consider, with SS including more and more internet functions that it didn't before as well as becoming more and more widely known (yay!). I agree that right now there is no real cause for alarm, but that might not always be the case.
The more I think about it the more I agree with you about this, it is probably something worth being careful about
Banjo wrote:
In thinking more about solutions, what I'd suggest is either:
1) When SS loads a script, it already checks for errors, doesn't it? If so, have it also check for any internet commands in the script and if any are found, popup a box asking "This script connects to the internet. Allow it? Yes/No". Thus, if I was expecting this (say, I'm playing a script that's clearly designed for emailing someone) I'd say yes, sure. If there were no internet tags or reason to suspect it would be needed, I'd be warned something was odd and could check into it or contact the author.
*or*
2) My first suggestion: simply add a configuration setting option to SS that lets the user toggle "allow scripts to connect to the internet?" on/off.
I think an option 3 may be better? If the script does not have Internet in setInfos() but finds and internet commands in the script it will flag up an error and will not run - that way it would not get in the way but still provide a safegard?
My other (greater) concern would be people downloading scripts making small changes and then uploading them. With the complexity of the bigger scripts like SubControl it would be relatively easy for someone to put a change in that would expose a subs user code. I like the whole idea of how easy anyone is able to update scripts (thats how I got started in here
) but it would also be good with some of these big scripts to be able to have a checksum system to verify a script has not been changed - at least without warning the end user? On scripts with a checksum, only the logged in author can update the saved checksum for a script? Don't know how hard this would be for Doti to implement but I think it would be worth looking at some ideas around this
as simply knowing if a script uses the internet may not prove good enough for security?