this post was submitted on 04 May 2024
3 points (100.0% liked)

Casual Perchance

86 readers
1 users here now

Casual Perchance

A nonspecific casual place for anything Perchance, including generator outputs, memes, prompts, casual discussion, advertising your generator, and anything else you wouldn't post in the more technical Perchance Forum.

This is where to post Community Events.

Resources:


Rules:

founded 8 months ago
MODERATORS
 

Was brought to my attention yesterday that any user can run any script on anyone else's page. This makes games with persistent memory and multiplayer hard to say the least. Slept on it and here are my thoughts on waking.

Important code needs to be serverside.

The Login function seems still good because no player can see another player's password, so making functions on node which take a player name, player pass, and stuff, can still result in just that player doing that thing. Tho since scripts are possible, now have to have protections against things like bruteforcing.

Yet players can send Anything on their own account. High scores, for example. Even if I hide a code for each player behind a localStorage and have that localStorage sent as a password, the player can script something that turns that localStorage in to a public string, see what it is, and do the script to send the score themselves with a custom score. So basically NO INFO that dictates any state of the server can be sent FROM the client, which in this case is Perchance. The code determining the scores has to be entirely serverside. The frontend has to literally just be the face with no moving parts beneath it.

Iframes have the same problem. Sticking something in an Iframe can allow custom gating on what info can be sent there and back, but still, any of the info originating from Perchance can have been fabricated. In basically all situations, the power needs to be not in the hands of the people but locked away behind the server (i believe in mutual sovereignty and no one being better than another, so this part inherently bothers me).

But putting all the moving parts on the server takes away from the beauty of 'Perchance', which is that anyone can make things. There may still be a way here too. A plugin could be designed which requires login, then, for each person, has an area where they can place a file which dictates a server. That way someone can make the 'behind the scenes' moving parts from Perchance, even in PerchanceScript, log in, upload it under their account, and then point their perchance page at it.

The above is barely a misty idea and complex, but has potential.

you are viewing a single comment's thread
view the rest of the comments
[–] Cocell 2 points 6 months ago

I also the thought about uploading files linked to the account, but I still need to understand it before I can talk with the dev.