Cloud

[griffpatch]

A question. Will using cloud allow users to bypass the usual restrictions on editing a project while still updating cloud variables? It feels like this has the potential to make it too easy for users to hack and break our cloud high scores, etc? Or does it work a different way? With great power comes great responsibility!

[ghost]

Cloud variables are permanently disabled (until reload) when the editor is opened, like Scratch.

The biggest problem with cloud variables in TurboWarp right now is that it's really easy to impersonate other users by just setting your username to something like "griffpatch". I'm not entirely sure how to solve that.

[griffpatch]

Yes, I was wondering about being able to open an iframe to scratch and check the current login or something like that... But in not even sure that would be possible with the way security is now implemented in browsers.

On Sat, 1 Aug 2020, 17:50 Thomas Weber, notifications@github.com wrote:

Cloud variables are permanently disabled (until reload) when the editor is opened, like Scratch.

The biggest problem with cloud variables in TurboWarp right now is that it's really easy to impersonate other users by just setting your username to something like "griffpatch". I'm not entirely sure how to solve that.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/TurboWarp/scratch-vm/issues/2#issuecomment-667558557, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABTM3PVKHIFVDXSBOBUN27TR6RBU5ANCNFSM4PRRELLQ .

[ghost]

That would be XSS. We would need to contact the developers because of CORS. We could use a proxy to add the header though. I would much rather do it on the client. If we wanted to do that in the client we could make a Chrome/Firefox extention but in the manifest.json add "permissions": ["<all_urls>"],.

[GarboMuffin]

Using a client-side only browser extension to verify ownership of a Scratch account is completely overkill and can be easily worked around. I also think that Scratch projects being allowed to include links to https://turbowarp.org/ in their description is very important, but telling users to install a browser extension, especially one that would be able to Access your data for scratch.mit.edu, would make links to the website violate Scratch's policies regarding browser extensions.

I also don't believe that impersonation is a serious issue right now. If it ever becomes an issue, some solution will have to be found that doesn't violate Scratch's policies.

[ghost]

Yes I agree it would be overkill and could be bypassed easily. The ideal solution would be to be able to have an OAuth2 implementation on scratch.

[jeffalo]

about the impersonation issues, something like https://github.com/hamptonmoore/FluffyScratch#auth would be neat, if not a little over kill

[ghost]

What about Turbowarp accounts?

[hello-smile6]

Why not just let users request that they can somehow require verification for them to use turbowarp cloud vars for their account?

[n-d-v]

What about Turbowarp accounts?

But that would require way too much setup just for a potential problem that is very unlikely to be significant on a community-driven project

[mybearworld]

ScratchAuth could potentially be used for this