-
-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
circumventing get and post request popup #883
Comments
This doesn't really let you circumvent the system, because you can't make arbitrary GET and POST requests to given end point. The system will only attempt to download an asset, which you can register, but you can't attach any significant payload (other than the URL itself). Loading assets from web sources could be limited in some way, but question is where to draw the line. You can import pictures and videos from various web sources. We could make a limited list of allowed ones, but that would severely reduce the functionality, so it's mainly question of how big of a concern it really is. |
Couldn't there be a solution where the user who spawns an image/video requests it from the server and then distributes it to everyone else in the session, similar to how local file imports are handled right now? |
@Psychpsyo Hmm that might actually be a good solution. Although video streaming would be tricky one, since that would be a bit more involved to relay all the traffic somehow (that's handled by the streaming library), it would have to be tunneled somehow, but even doing it for most other assets could be a benefit there. @AshtonSparx Because it's not a bug and not super practical method. You can't really mine anything you couldn't get otherwise by just being in the session with the user. You load tons of pictures and assets and other resources on the web from all sources every day. We can look into ways to mitigate this, like @Psychpsyo proposed, but unless you want to block functionality to import a lot of the web content into Neos completely (maybe for a few whitelisted URLs), it's not something you "fix". |
small update to this, can now send data back into neos as a string using the subtitle animation without user prompt. |
any component with a Uri can be used to send data from logix to a server without prompting the user the server request.
its not really an issue but could be used for circumventing the whitelist, as you could send data back as part of garbage files like the resolution of a texture.
The text was updated successfully, but these errors were encountered: