Was brought to my attention yesterday that any user can run any script on anyone else’s page. This makes games with persistent memory and multiplayer hard to say the least. Slept on it and here are my thoughts on waking.

Important code needs to be serverside.

The Login function seems still good because no player can see another player’s password, so making functions on node which take a player name, player pass, and stuff, can still result in just that player doing that thing. Tho since scripts are possible, now have to have protections against things like bruteforcing.

Yet players can send Anything on their own account. High scores, for example. Even if I hide a code for each player behind a localStorage and have that localStorage sent as a password, the player can script something that turns that localStorage in to a public string, see what it is, and do the script to send the score themselves with a custom score. So basically NO INFO that dictates any state of the server can be sent FROM the client, which in this case is Perchance. The code determining the scores has to be entirely serverside. The frontend has to literally just be the face with no moving parts beneath it.

Iframes have the same problem. Sticking something in an Iframe can allow custom gating on what info can be sent there and back, but still, any of the info originating from Perchance can have been fabricated. In basically all situations, the power needs to be not in the hands of the people but locked away behind the server (i believe in mutual sovereignty and no one being better than another, so this part inherently bothers me).

But putting all the moving parts on the server takes away from the beauty of ‘Perchance’, which is that anyone can make things. There may still be a way here too. A plugin could be designed which requires login, then, for each person, has an area where they can place a file which dictates a server. That way someone can make the ‘behind the scenes’ moving parts from Perchance, even in PerchanceScript, log in, upload it under their account, and then point their perchance page at it.

The above is barely a misty idea and complex, but has potential.

  • GlassGuy
    link
    English
    27 months ago

    i lack the know how to contribute to the discussion but 100 appreciate that your investing time to find a solution. i like your idea am curious about one thing, even if said behind the scenes can be made once people start to play the game and lets say one gets to be more popular would ping start to become a factor for playability with more players or would things like that not be a major factor? sorry if is silly question i was just curious from experiences playing server based games before.

    • alloOPM
      link
      English
      16 months ago

      oh probably, lol. i haven’t gotten there yet. I’m still where 5 people online is a new record.

  • CocellM
    link
    English
    26 months ago

    I also the thought about uploading files linked to the account, but I still need to understand it before I can talk with the dev.