Suggestion: Moddable Blocks

[AmazingMech2418]

Expected Behavior

If the suggestion was accepted, you would be able to edit the JS code behind specific blocks by shift clicking the r in the Scratch logo and opening a mod panel in the GUI where you can click a button that says "select block" and change any block to a certain mod code that you also define in the panel. It will also alert users before the project loads that there are modded blocks. It would also block any ajax requests and all location (both site location and user location) from the mods. It would allow for experimental extensions in the panel. This would allow for more customizations of certain blocks. Also, when you duplicate a block, it will keep the mod code. When a mod is added, it will also change the name to the original name with a "-" and the name of the mod. A mod can either be added, or you can replace the original code behind the block with the mod.

Actual Behavior

Nothing.

Steps to Reproduce

It always happens.

Operating System and Browser

Not needed since this is just a suggestion.

[tomrow]

I think this may be acceptable in certain situations but sharing these projects may be a bad idea as JavaScript has the potential to create malware. I think Scratch's modification policy should apply here.

[AmazingMech2418]

@tomrow It would block ajax and location, so malware couldn't be produced.

[tomrow]

AJAX isn't the only way to make a virus, people would just get around the censors

[hedgehog125]

Isn't this similar to: https://github.com/LLK/scratch-gui/issues/1124 ?

[tomrow]

I personally think experimental third-party extensions should b treated with the same stance as Scratch modifications in circumstances such as sharing. There's too much of a risk that, with such a large programming language such as JavaScript, that there will be no way for a sandbox to block all methods of malicious payload or infection that can be embedded into web pages. Yes it is simmilar to issue #1124, but is more similar to the block modification posible in BYOB (precursor to Berkeley Snap!).

[AmazingMech2418]

@tomrow The only problem is that some developers can't make copies of the Scratch repo. Extensions can possibly be blocked from certain features such as window.open(), ajax, and all forms of location (geolocation and URL location). Those would stop all possibilities of malware in JavaScript. Also, creating elements would be blocked so automatic downloads would be stopped.

[kyleplo]

Maybe as an offline-editor-only feature, and projects with them could not be shared to the Scratch website?

[AmazingMech2418]

@kyleplo Why? All possible malware with JavaScript would be blocked.

[SheepTester]

You'd also have to block any DOM access (if one were to head in this direction); one could add a script element or an iframe that could access everything else. Scammers could use window.alert to create a dialog claiming the user's computer has been hacked, and include a phone number/web address leading to a tech support scam (or print the message to the stage). You can't block all possible malware with JavaScript.

Blocking ajax would severely limit the capabilities of extensions; it would also break built-in extensions such as the speech extension.

[radioblahaj]

This Would Be A Rly good idea. @amazinigmech2418

[AmazingMech2418]

@SheepTester It wouldn't block it for built-in extensions but will in experimental extensions.

[kyleplo]

@amazinigmech2418 @SheepTester It's impossible to block all malware and it's hard to control which scripts the blocker blocks. Also I highly doubt the Scratch Team would ever approve this. Don't ask me why.

[tomrow]

Modding blocks is fine, its sharing these blocks i'm worried about.

[SheepTester]

@tomrow According to the Preview FAQ, extensions that are shared would have to be approved by the ST:

How can I create an extension for Scratch 3.0? The Scratch Team will be publishing an extensions specification and guidelines later in 2018. Once available you will be able to submit extensions to the Scratch Team for consideration in the Scratch 3.0 extensions library.

Additionally, almost all of the built in blocks can be recreated with extensions (I believe), so if you want to mod a block, you can take the block's code and put it in an extension's block and modify it from there.

[AmazingMech2418]

@kyleplo You can share experimental extensions for Scratch 2. If you try to make an extension for geographical location, it will break the project. Ajax is allowed with it, but they could also block it. Once, I tried to make an extension for a game like Pokemon Go where it uses geographical location and it redirected to a 404 page.

[AmazingMech2418]

@SheepTester The problem is that you can't test an extension to see if it works if you can't test it in the editor originally. You would have to upload every extension into the project to be able to add it. There would also be a mod notification as a warning for users.

[tomrow]

Approval is a good idea, I think they've got it sorted

[AmazingMech2418]

@tomrow The thing is you can't test your extension to see if it works until it is approved.

[tomrow]

I was talking about sharing projects with unapproved extensions.

[SuperS0n1k]

But, won’t modded block projects crash scratch?