Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Global disable custom js/css from ttapi #30

Open
alok0 opened this issue Jun 15, 2012 · 3 comments
Open

Global disable custom js/css from ttapi #30

alok0 opened this issue Jun 15, 2012 · 3 comments

Comments

@alok0
Copy link

alok0 commented Jun 15, 2012

There should be a global disable for the userside js/css from ttapi.
(Or really more like the default state, I would rather it started default off, and be able to turn it on each time I enter the room)

@Frick
Copy link
Owner

Frick commented Jun 15, 2012

It is defaulted to off for all rooms except Wooooo's room since I wrote that to also show off some of the capabilities and so people would even notice that it's possible now. For all other rooms it would simply show the script button if scripts are available. So are you saying you wish there were an option to set it to always be off when you enter a room rather than a "remember my selection"? Perhaps three settings for room customizations, "Always On", "Always Off", or "Remember Selection"?

@alok0
Copy link
Author

alok0 commented Jun 15, 2012

Sounds good... it just freaks me out from a security standpoint. Because technically it gives the room owner full access to your account.

@Frick
Copy link
Owner

Frick commented Jun 15, 2012

Correct, to a minor extent. I thought about safety quite a bit which is why it will follow more of an app store approach as opposed to "I just made this, you're on your own". The database of scripts and the script hosting is all on my end so that I may look through all room code to ensure nothing malicious is within. Of course there's the possibility of something slipping through, but I'll also try to ensure I never do that by not ever outright trusting or making any assumptions about the code... if I can't read it because it's that poorly written or trying to obfuscate something, it's not going into my DB or onto the CDN. That also means the room owner cannot just switch the code at any point, it'll have to go through me each time. And from the server side of things, I'll also keep track of user tokens so that bots may authenticate that the user connecting to the bot is, indeed, in the room and that they are who they say they are. On the flip side, the bot can't tell the client to send it anything sensitive or to execute anything malicious if I've vetted the client-side code. Trust me, no evals allowed. :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants