Sivakatirswami, I think there are two seperate issues here...and perhaps they are a bit confusing. A standalone player, (like Macromedia and SuperCard have) versus a web-enabled (auto boot as you call it) player. In the case of the standalone player, an individual has to take action in order to playback a stack-- be it download it, or request a download (like your product does). In this case, it is more difficult and less likely for an ill-behaving stack to be deployed.
In the case of a web-enabled application with the *goal of being a ubiquitous player/web plugin for stacks* (much like the Shockwave plugin or JAVA runtime), the case is much different, for several reasons. Consider: 1) It would be the intent of such a player to be deployed to as many users who would use it. It is not necessary they be programmers, or even users of MC/RR at all. In fact, in most cases, just the opposite may be true. 2) If a *single* exploit was to occur, and it was serious (such as erasing significant files), then it may be presumed the major response would be to delete the offending player. This would be a publicity nightmare for both MC and RR. Remember, an exploit can occur by just viewing a web page -- no other action is necessary. The offending stack would automatically download and execute without the user ever knowing. 3) To prevent such an occurence, the player must allow downloadable stacks to either: a) play only in the 'sandbox' (the initial JAVA approach) which means no (or as Richard suggests: limited) file access whatsoever or; b) be certified as 'safe' by a reputable 3rd party (the Microsoft approach). My thinking on the subject is that a 3rd party could build a player and infrastructure for registering (certifying) stacks. Then the player would check in with the 3rd party to verify the signature of the certification. At the minimum, all unsigned stacks would be pre-empted by a warning notice such as: "This program is unsigned and could possibly damage your computer!" I'm sure there are other better plans. In any case, I think it is not a trivial matter, and all of us should be careful when releasing 'web enabled' stacks and the applications which run automatically when downloading them. best, Chipp >If my SC project wanted to read and write file and > "do stuff" with that player, nothing was there to stop it. Is it just > the auto boot from a web page we are concerned about? > > Sivakatirswami > > _______________________________________________ > metacard mailing list > [EMAIL PROTECTED] > http://lists.runrev.com/mailman/listinfo/metacard _______________________________________________ metacard mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/metacard