Was brought to my attention yesterday that any user can run any script on anyone else’s page. This makes games with persistent memory and multiplayer hard to say the least. Slept on it and here are my thoughts on waking.

Important code needs to be serverside.

The Login function seems still good because no player can see another player’s password, so making functions on node which take a player name, player pass, and stuff, can still result in just that player doing that thing. Tho since scripts are possible, now have to have protections against things like bruteforcing.

Yet players can send Anything on their own account. High scores, for example. Even if I hide a code for each player behind a localStorage and have that localStorage sent as a password, the player can script something that turns that localStorage in to a public string, see what it is, and do the script to send the score themselves with a custom score. So basically NO INFO that dictates any state of the server can be sent FROM the client, which in this case is Perchance. The code determining the scores has to be entirely serverside. The frontend has to literally just be the face with no moving parts beneath it.

Iframes have the same problem. Sticking something in an Iframe can allow custom gating on what info can be sent there and back, but still, any of the info originating from Perchance can have been fabricated. In basically all situations, the power needs to be not in the hands of the people but locked away behind the server (i believe in mutual sovereignty and no one being better than another, so this part inherently bothers me).

But putting all the moving parts on the server takes away from the beauty of ‘Perchance’, which is that anyone can make things. There may still be a way here too. A plugin could be designed which requires login, then, for each person, has an area where they can place a file which dictates a server. That way someone can make the ‘behind the scenes’ moving parts from Perchance, even in PerchanceScript, log in, upload it under their account, and then point their perchance page at it.

The above is barely a misty idea and complex, but has potential.

  • alloOPM
    link
    English
    16 months ago

    oh probably, lol. i haven’t gotten there yet. I’m still where 5 people online is a new record.