Open JackTheFoxOtter opened 1 month ago
If you believe there is security risk with a feature, we request you submit it through the proper channel https://support.resonite.com/ @JackTheFoxOtter.
Details about the process for reporting security issues can be found on our security policy: https://resonite.com/policies/Security.html
This isn't really an exploit or anything immediate, just an improvement to the host access permissions. I don't think this needs to be treated in secrecy.
Is your feature request related to a problem? Please describe.
I've made a facet that connects via OSC to a backend script on my local machine. I've allowed OSC for localhost and the designated port numbers. Right now, regardless of wether I use the facet in a world or in userspace, it successfully connects to the backend script. This can be a bit of a security issue, making it somewhat trivial (if the port number is known) for other users to indirectly send / receive messages to / from the backend script through my client.
Describe the solution you'd like
I would like the ability to specify that a certain host access entry is only allowed in userspace (or a world started as unsafe), which would mitigate this security concern. I don't expect anyone to maliciously abuse this as I generally trust the community, but I think having this as an option would be a good idea. The userspace is already considered a "trusted" environment by other systems, expanding this to the host access permissions seems logical to me.
Describe alternatives you've considered
Further obscuring the connection / port or adding authentication to the communication, but that would make implementations more complex, and not be a good fit for OSC.
Additional Context
No response
Requesters
Myself