[opensource-dev] Client-side scripting in Snowglobe
Argent Stonecutter
secret.argent at gmail.com
Thu Feb 18 05:45:58 PST 2010
7. 8. 9. 10. ... I'm not going to run client-side scripts if I can't
eyeball them. Creating a sandbox is a huge, complex, and difficult
job, even in an application designed to run untrusted content from the
ground up. Putting a blind scripting environment inside something like
the SL client is risky. Putting one that isn't inherently secure in
there is scary.
Linden Lab does not trust the Mono sandbox on the server: you can't
upload Mono bytecodes like you could LSL bytecodes. And they
shouldn't. LSL bytecodes are run in an inherently secure
environment... they can not perform any operation outside the
capabilities of the LSL runtime: security and access controls are
implemented outside the interpreter. Javascript and Activescript in
Flash are in the same situation: they are languages that can (and
usually do) run in an interpreter that does not even implement unsafe
operations. Java and Mono/.NET intermediate language can do anything
native code can, they are not inherently secure, and should not be
treated the same way. *
Even if the entire viewer was run in a provably secure virtual machine
this would not seem like a safe option to me, since the viewer has
full access to all my assets and account information in Second Life.
Now there are situations where this kind of assembly would be
acceptable, where it's treated and presented to the user as an
application, where the user has to explicitly request that it be
installed, where it is made clear that installing a plugin is the same
kind of risk as installing and running an application. But not when
it's something that can be pushed from an untrusted source with no
more than a warning dialog between you and HonestImNotInThePN
ThrowawayAlt.
Even if they were using an inherently safe language, accepting
unexaminable binary payloads from untrusted sources and running them
in the SL client in anything like its current state would raise all
kinds of warning flags with me. Doing this using an internally-
sandboxed interpreter just isn't something I'm prepared to do.
* No, I don't use Silverlight and I have Java disabled.
More information about the opensource-dev
mailing list