[sldev] Re: IDEA: HUD Objects should do HTTPrequests from the client not through the SIM.

Lawson English lenglish5 at cox.net
Sun Oct 28 15:13:06 PDT 2007

Previous message: [sldev] Re: IDEA: HUD Objects should do HTTPrequests from the client not through the SIM.
Next message: [sldev] [AWG] Zero's office hour on Tuesday, 2007-10-30
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jo Grant/Cambridge/IBM wrote:
>
> Mark writes:
> >But HUD objects are only viewable to the one client.
> >This would  off-load HTTP traffic for applications that wanted to do 
> more
> >HTTPrequest than the sim cap would allow with no settling time.
>
> I see where you are coming from, but there are a few thorns on this rose.
> Firstly, scripts all run on the server. Even HUD scripts. In order to 
> implement this the script engine would have to stop when there was a 
> HUD HTTPrequest, find out what client was attached to the object's 
> context, and push down the request to the client. The client would 
> have to accept this request, perform the operation, and stream the 
> result back up to the server. When the server gets the answer, it then 
> would wake up the script with the appropriate event.
> It could be done. But it wouldn't be a simple extension.
>
> >I understand that a user could be potentially exposing their IP
> This is one concern, I think there are a lot of bigger security 
> concerns. Code running on the client is running within whatever 
> security context the user is running within. For example, a large 
> number of users on home networks use Linksys routers, and a large 
> number of those never bother to change their admin password. It would 
> not be hard for a malicious user to write a script that browsed to 
> http://192.168.1.1 <http://192.168.1.1/> and performed the operations 
> to, say, remove their security, or bring their network down.
> Technically, you could probably do this from Java script or an applet 
> on a web page. But those are mature spaces that are well known and the 
> majority of anti-virus vendors have systems in place that can prevent 
> such attacks. This would be a new vector that such attacks could be 
> launched from.
>
> But keep thinking along these lines. Just like javascript allows 
> servers to offload some work onto browsers, having some sort of client 
> side scripting in an appropriately secure sandbox is worth thinking 
> about.
>
> Jo
>
>
 Consider one possible case, where HUDs actually evoke client-side user 
interface elements and let the client track the mouse, slider positions, 
and keyboard input and send the results back to the HUD for 
script-processing. If that were allowed, the same mechanism might allow 
the httpRequest behavior as well.


https://wiki.secondlife.com/wiki/Use_Cases#Extended_Capability_Clients


Lawson

Previous message: [sldev] Re: IDEA: HUD Objects should do HTTPrequests from the client not through the SIM.
Next message: [sldev] [AWG] Zero's office hour on Tuesday, 2007-10-30
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list