Security: Close the JavaScript API Surface Area #3
Labels
No Milestone
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: SketchyMaze/doodle#3
Loading…
Reference in New Issue
There is no content yet.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?
The JavaScript API exposed to doodad scripts reveals too many objects and a malicious doodad might be able to mess with the game in unpredictable ways.
It should be given more careful access to specific function calls for safety.
Create custom types that wrap around specific API calls to provide a clean level of abstraction to the JS runtime. The API should be locked down before beta so that if users start making custom doodads, we don't break them by removing APIs they may have come to rely on.
Example mischievous script:
Fixed in
38614ee280