Implement a whitelist for WebSurface URLs

[peter-r-g]

For?

S&Box

What can't you do?

Currently, a WebSurface URL must follow the following rules:

• It uses the http(s) protocol.
• Does not resolve to a private IP.
• Host does not contain the following patterns:
  • *steampowered.com
  • *steamchina.com
  • *steamcommunity.com
  • *steamgames.com
  • *steamusercontent.com
  • *steamcontent.com
  • *steamstatic.com

This becomes a problem with IP grabbers and websites people probably don't want to visit. There will inevitably be kids playing the game and the possibility of sending them to something like a porn website without their input/consent is a bit concerning.

How would you like it to work?

This could be implemented as a global whitelist or a client consent project whitelist:

Global Whitelist: All URLs are blacklisted by default, FP will have a whitelist in S&box that they can manually add to like how the code access list works. People can make issues allowing additional websites and services.

Project Whitelist: A game creator fills out a section of project settings that defines what URLs they can use in the WebSurface. Once a client selects that game and there are URLs defined; S&box will display them with the option to continue or bail.

What have you tried?

Trusting creators to not do stupid things I guess.

Additional context

There is also the case of WebSockets but only the project whitelist method makes sense for them in my opinion. The focus of this issue is to prevent problems with WebSurface specifically.

[cashmen123]

Yeah this is pretty important. The potential for IP grabbers or directing people to porn is already bad. There's also the potential for sending users to fake login pages for various sites and tricking them to enter login details (especially when users can't see the URL for the site they are seeing). There should be plenty of public "trusted site" whitelists available on the web that can be used as a baseline, and can be cherry-picked so only specific services can be visited.

I can understand the argument that a "global whitelist" that enforces over all games is potentially limiting, but even a project whitelist that users consent to can lead to pretty easy confusion tactics via similar URL's to make users believe it's a trusted site when it's not. There's not a whole lotta reason to allow servers to push users to sites that aren't already long-term established and vetted.

[handsomematt]

Very confused why games having your IP would be a bad thing, how do you think you would connect to and communicate with a server... ?

Don't really get the porn stuff either, you could easily have a pornographic texture in your game? ( In both cases your game would get reported and disabled on asset.party too )

Are there any actual reasons

[cashmen123]

Very confused why games having your IP would be a bad thing, how do you think you would connect to and communicate with a server... ?

Is this not a huge reason for using steam datagram relay? To connect to servers via steam ID's and hide the true IP of both the server and client? I would think FP would want to avoid easy ways to leak client/server IP addresses like simple IP grabbers through a web panel. Sure, a lot of games are probably gonna fuck it up and have clients directly connecting to backend infrastructure, but making it super easy to just pop a web panel of a funny picture or something while also grabbing their IP seems like a very easy thing to avoid via a whitelist.

Don't really get the porn stuff either, you could easily have a pornographic texture in your game?

"You can force porn on players a different way so why would we stop this way" is a pretty bad response lmao. If someone has a pornographic texture in their game it's likely already stored on asset party and can be removed by FP if it's egregious, but if we're allowing web panels to arbitrary URL's there's not much in the way of controlling that.

Are there any actual reasons

Yeah, the entire point of fake login pages I made that you didn't respond to. That's probably the biggest security issue I see here. You can pop a web panel, the user doesn't see what URL they're connecting to, and now in front of them is a site that looks exactly like, example, google's login page. Should players be randomly putting in their login credentials when they're playing sandbox? Of course not. But given the many young players in the community it's a problem that is absolutely bound to cause issues in the future, and one that is very easily avoided by a whitelist.

[peter-r-g]

Very confused why games having your IP would be a bad thing, how do you think you would connect to and communicate with a server... ?

Wasn't one of the many reasons to use Steamworks networking to avoid exposing IP addresses? And yes obviously communication is done through them. That doesn't mean said connection has any meaningful reason to exist. Someone can do a quick call home and that's it. That has no impact on a game's functionality. It only exists to grab an IP as we said.

Don't really get the porn stuff either, you could easily have a pornographic texture in your game?

I only mentioned pornographic material in the context of displaying that content to minors. As the system exists right now that content can be displayed to them without any kind of consent. This is quite a big problem in mine and I would hope many others opinions. Surely we shouldn't be having the stance of "Eh, who cares" when it comes to something that is very much preventable. When it comes to in-game methods of displaying pornographic material that's more complicated and would have to be done through the report system.

Are there any actual reasons

There is also @cashmen123 s response which you missed in regard to fake login methods. I'm sure there are more reasons to implement this system but none come to mind right now. Although in my opinion, I think these reasons would be enough to start thinking about a possible solution.

[JustPlayerDE]

a whitelist the user have to accept stuff into would be useless

like with cookie popups everyone would just accept everything without thinking about it more than "where can i click to make it close"

and if facepunch has to moderate the whitelist it would take ages to get your stuff whitelisted at some point

not to mention that it is easier to ipgrab and steal your data with a browser because you dont have to make a s&box game that would only be able to target s&box users and you dont have to know razor or c# to make a web panel in a game 👀 (instead the target only has to click a link you can send which opens in the default browser on his system)

if a game does bad stuff it simply gets removed and the author banned, maybe put the url if there is any in a global blacklist for some time like gmod is doing it with bad servers already

but a whitelist would take either too much time to manage (and makes it unusable) or would be useless as everyone always clicks accept no matter what

[chrisspieler]

It seems to me that S&box games are more like Unity games than Gmod game modes. If you download a game from Itch.io, it's safe to assume that the dev can get your IP address - they might be talking to their own services for online profiles or telemetry or whatever. It's perfectly normal to trust a game dev in this way.

[WujekFoliarz]

Literally every game/website is an ip grabber

[cashmen123]

It seems to me that S&box games are more like Unity games than Gmod game modes. If you download a game from Itch.io, it's safe to assume that the dev can get your IP address - they might be talking to their own services for online profiles or telemetry or whatever. It's perfectly normal to trust a game dev in this way.

You should not be trusting everything you download off of itch either. But A. without standalone games being split out you still have to go through sbox's menus to open a game, I would expect a level of security already available when doing so and B. if we have the ability to protect users with a pretty low effort security mechanism that tons of other software already employs why wouldn't we?

Literally every game/website is an ip grabber

I can't tell if you're trolling. Sure, you visit a website and it has your IP, but you're not visiting https://iwillscamyou.com you're visiting established sites in your day-to-day. As for "every game" I have no idea where you're pulling that out of your ass lol. Even in sandbox right now they use steam datagram relay, which hides your IP UNLESS the server leaks it via web surfaces or websockets.

I also don't get why everyone is incredibly stuck on the IP grabbing argument as if it's the only problem here. The potential for phishing scams is extremely high through web surfaces, and incredibly easy to conduct. Even if there are "other ways" to do it, patching this method in an incredibly easy way is a good start.

[matekdev]

If an addon can convince half the s&box user base that Garry is in their game talking to them, then there should be a concern for scamming web panels.

[f37ch]

Adding whitelist can limit developer possibilities. In my case i have mediaplayer addon that's supports direct links. Players can host their media stuff on own vds or use some non-popular filehosting. How i supposed to add every one of them to whitelist? Devs/server owners can have access to your ip without WebSurface, but doesn't mean its a bad thing. That's how this game works.

If dev adding porn links to game or an addon/breaking any other rules - you can report it on asset party, that's how it should work. Otherwise i guess its players on your server you can ban.

[Phyremaster]

Potential vulnerabilities:

• IP grabbing: This is a necessary step in anything involving the Internet. Not a vulnerability.
• Phishing: Just as feasible as anywhere else on the Internet. Be cautious of untrusted gamemodes = be cautious of untrusted links. Not a vulnerability, unless you consider all Internet browsers vulnerable.
• Other illicit sites: That's... just breaking the content rules... which you can do without WebSurfaces... Not a vulnerability.
• RCE: If possible, it should remain trapped in S&box's... sandbox. If that can be broken, it would be far easier to just make a malicious game, no need for a WebSurface. A vulnerability, but only hypothetically, and an unrelated one anyway.

Conclusion: The only possible vulnerability is RCE, which would be an issue with the browser implementation and should be addressed as such. Seriously, would you ship a web browser with a whitelist just in case there's an RCE vulnerability in the browser?

[sanny-io]

But like how has nobody mentioned the fact that the contents of URLs are determined at runtime 💀

A whitelist would be pointless because you never know what is going to pop up on your screen until something pops up on your screen...There's no guarantee that by visiting the same URL you are going to receive the same content as you did last time.

[oniongithub]

Any Garry's Mod server you've ever joined has your IP logged in their server.db, and any website you've ever visited most likely has a log of both your browser fingerprint and IP. Your IP is not important or special, and the most someone can do with it is DDOS you until you become smart enough to unplug your modem and wait 15-30 seconds before plugging it back in.

If there is a whitelist, there is no point in using web panels. If I get my domain whitelisted, then I can route any local or external web content I want through it, and if no one gets their domains whitelisted, then the only thing you can do is link to official FP domains. Phishing and IP pullers exist everywhere. If you aren't smart enough not to input your information into a random web panel on S&Box, then you deserve to get your information stolen and would've gotten it stolen sooner or later by a phishing link outside of the game.

Also, you can hardcode a pornographic image or gore and just render it clientside and display it without needing to upload a separate texture.

Also, Also, https://steamcommunity.com/linkfilter/?url=https://google.com/