Global disable custom js/css from ttapi

[alok0]

There should be a global disable for the userside js/css from ttapi. (Or really more like the default state, I would rather it started default off, and be able to turn it on each time I enter the room)

[Frick]

It is defaulted to off for all rooms except Wooooo's room since I wrote that to also show off some of the capabilities and so people would even notice that it's possible now. For all other rooms it would simply show the script button if scripts are available. So are you saying you wish there were an option to set it to always be off when you enter a room rather than a "remember my selection"? Perhaps three settings for room customizations, "Always On", "Always Off", or "Remember Selection"?

[alok0]

Sounds good... it just freaks me out from a security standpoint. Because technically it gives the room owner full access to your account.

[Frick]

Correct, to a minor extent. I thought about safety quite a bit which is why it will follow more of an app store approach as opposed to "I just made this, you're on your own". The database of scripts and the script hosting is all on my end so that I may look through all room code to ensure nothing malicious is within. Of course there's the possibility of something slipping through, but I'll also try to ensure I never do that by not ever outright trusting or making any assumptions about the code... if I can't read it because it's that poorly written or trying to obfuscate something, it's not going into my DB or onto the CDN. That also means the room owner cannot just switch the code at any point, it'll have to go through me each time. And from the server side of things, I'll also keep track of user tokens so that bots may authenticate that the user connecting to the bot is, indeed, in the room and that they are who they say they are. On the flip side, the bot can't tell the client to send it anything sensitive or to execute anything malicious if I've vetted the client-side code. Trust me, no evals allowed. :-)