[opensource-dev] Client-side scripting in Snowglobe

Argent Stonecutter secret.argent at gmail.com
Thu Feb 18 05:45:58 PST 2010


7. 8. 9. 10. ... I'm not going to run client-side scripts if I can't  
eyeball them. Creating a sandbox is a huge, complex, and difficult  
job, even in an application designed to run untrusted content from the  
ground up. Putting a blind scripting environment inside something like  
the SL client is risky. Putting one that isn't inherently secure in  
there is scary.

Linden Lab does not trust the Mono sandbox on the server: you can't  
upload Mono bytecodes like you could LSL bytecodes. And they  
shouldn't. LSL bytecodes are run in an inherently secure  
environment... they can not perform any operation outside the  
capabilities of the LSL runtime: security and access controls are  
implemented outside the interpreter. Javascript and Activescript in  
Flash are in the same situation: they are languages that can (and  
usually do) run in an interpreter that does not even implement unsafe  
operations. Java and Mono/.NET intermediate language can do anything  
native code can, they are not inherently secure, and should not be  
treated the same way. *

Even if the entire viewer was run in a provably secure virtual machine  
this would not seem like a safe option to me, since the viewer has  
full access to all my assets and account information in Second Life.

Now there are situations where this kind of assembly would be  
acceptable, where it's treated and presented to the user as an  
application, where the user has to explicitly request that it be  
installed, where it is made clear that installing a plugin is the same  
kind of risk as installing and running an application. But not when  
it's something that can be pushed from an untrusted source with no  
more than a warning dialog between you and HonestImNotInThePN  
ThrowawayAlt.

Even if they were using an inherently safe language, accepting  
unexaminable binary payloads from untrusted sources and running them  
in the SL client in anything like its current state would raise all  
kinds of warning flags with me. Doing this using an internally- 
sandboxed interpreter just isn't something I'm prepared to do.

* No, I don't use Silverlight and I have Java disabled.


More information about the opensource-dev mailing list