Open sflanker opened 2 years ago
kjhollen
commented
2 years ago Hi @sflanker thanks for the suggestion. We have a very small team—just a single developer—so please be respectful and patient with us as we work through possible solutions. What seemed most obvious to us last week was pulling the feature that was causing harm. At this time, we are not sure when or if we plan to restore the bannerless previews. Thanks for your understanding.
sflanker
commented
2 years ago Right, sorry I was hasty. It was a knee jerk reaction to what I think was originally a knee jerk reaction (taking down preview.p5js.org). My disappointment was compounded by the recent introduction of the cookie accept banner (which, I get it, isn't your fault, it's the EU's fault).
To be clear, I don't think you/we/the community should restore the banner-less behavior of preview.p5js.org, because I guess that can be used to make a p5.js sketch that looks like another *.p5js.org page such that a naive user might attempt to login to p5js.org via some faked UI and thus expose their credentials to a malicious sketch, and I completely understand that you don't have the bandwidth to police every sketch on the site. What I'm proposing is that sketches embedded via the preview.p5js.org have a minimal but clear banner identifying the website/sketch/author, but not require any cookies whatsoever to obviate the insidious accept cookies banner. I understand that while this solution may seem obvious to me, it will take time and effort to implement, test, and release. So I understand that the knee jerk reaction might have been necessary in the short term.
Having run into these types of antivirus blocks before on sites I manage, I do think that sometimes they are overly hasty to block a domain because a few users got confused and misreported things, against which legitimate site operators have little defense except to wade the the tiresome bureaucracy of these big "security" vendors. However, it sounds like in this case there may of been some legitimate abuse.
Another approach that might help would be to subdomain every sketch's preview URL: sketch-id.preview.p5js.org thus allowing security software to be more specific when flagging a malicious page. However I'm not sure how effective that would be, or how feasible in the context of your infrastructure.
If I find myself with some free time I would happily try to contribute some effort to solving this problem, but until that happens I will be patient.
Thank you for your efforts on p5js.org
catarak
commented
2 years ago Thanks for the suggestions, @sflanker. I see that seemed like a knee-jerk reaction to take down preview.p5js.org, but I had been inundated with phishing reports for the past few weeks, and on Friday had received an especially large number. I wanted to come up with a quick fix to stop the issue, and then figure out a long-term solution.
catarak
commented
2 years ago The cookie popup has been removed from the embed/full view. I'm going to leave this issue open to discuss options for bringing back the Present view that prevents phishing.
catarak
commented
2 years ago Some of the reasons for needing a Present view (fullscreen sketch without a header):
Perhaps there's a way to create a temporary url, or a password-protected url that supports these uses?
Seriously, I don't understand why the solution these issues:
isn't obvious!
Just look at what OpenProcessing does:
Voila you can host user content in such a way that it will always be obvious to the person viewing the page that the content they are seeing is a p5js.org sketch, and not some other website (or page on your website), thus no legitimate phishing concerns.
Importantly, do not require cookies for this page to load (as is currently required for editor.p5js.org). The absolutely ridiculous banner that is mandated by the equally ridiculous EU parliament is horribly obnoxious and makes iframes that use editor.p5js.org URLs totally unusable.