Windows v6 beta test

fowlplay4 · #1 10-03-2010, 08:59 PM

Quote:

Originally Posted by Stephen

I cannot agree. Tricking a user and forcing a user into visiting a shock site (or other illicit material) have the same result - the user is exposed to undesirable content. The only way to prevent that entirely is through strict administrative procedure. We can all agree that the users hold no responsibility if they are exposed to undesirable content via game client... that in itself is a strong argument against a openURL prompt. Perhaps Graal Online needs a better system report and respond to abuse?

In the mean time it may be a good idea to filter openURL requests from the client.

It had a prompt in the V5 Client now it doesn't, you know what works good for a openurl filter, a "do you want to open 'URL' prompt" that's all that has to be done and we don't need to get admins involved with URL approval like we do on these forums.

Stephen · #2 10-03-2010, 09:13 PM

Quote:

Originally Posted by fowlplay4

we don't need to get admins involved with URL approval like we do on these forums.

Quote:

Originally Posted by Stephen

In the mean time it may be a good idea to filter openURL requests from the client.

You are mistaken.

fowlplay4 · #3 10-03-2010, 09:29 PM

Quote:

Originally Posted by Stephen

You are mistaken.

Okay whatever point you're trying to make, I don't really care.

In it's current state OpenURL can be abused and V5 prevented this with an "Open 'http://example.org' OK Cancel" this is obviously something Stefan had to cut out from his builds due to the External Windows / Scripted Version of certain systems (Options, etc) and other refactoring. It needs to be re-added that's it.

LoneAngelIbesu · #4 10-09-2010, 07:10 AM

Quote:

Originally Posted by fowlplay4

In it's current state OpenURL can be abused and V5 prevented this with an "Open 'http://example.org' OK Cancel" this is obviously something Stefan had to cut out from his builds due to the External Windows / Scripted Version of certain systems (Options, etc) and other refactoring. It needs to be re-added that's it.

If there's a problem with implementing it, I don't think Stefan should waste his time. Even if you _can_ abuse openurl(), you need access to the server. So, it's inherently going to be abused in very isolated incidents, especially given that most of the servers played are Classic playerworlds, and those servers tend to have somewhat decent response times to major staff abuses.

Similarly, how often to users try and trick people to visiting shock sites? I haven't experienced much, and I would say Valikorlia would be more prone to that. If there's really difficulty in implement it, I still don't think the problem is that prevalent. And I don't see how a prompt would 'save' somebody from being tricked, anyways.

DustyPorViva · #5 10-09-2010, 07:14 AM

Quote:

Originally Posted by LoneAngelIbesu

If there's a problem with implementing it, I don't think Stefan should waste his time. Even if you _can_ abuse openurl(), you need access to the server. So, it's inherently going to be abused in very isolated incidents, especially given that most of the servers played are Classic playerworlds, and those servers tend to have somewhat decent response times to major staff abuses.

Similarly, how often to users try and trick people to visiting shock sites? I haven't experienced much, and I would say Valikorlia would be more prone to that. If there's really difficulty in implement it, I still don't think the problem is that prevalent. And I don't see how a prompt would 'save' somebody from being tricked, anyways.

That's not a very good reason to downplay security.

LoneAngelIbesu · #6 10-09-2010, 06:16 PM

Quote:

Originally Posted by DustyPorViva

That's not a very good reason to downplay security.

The point I was getting at is that the security concern is exaggerated.

Quote:

Originally Posted by Stefan

Hmmm at least it could prevent accidently opening the same url several times I guess.

That's pretty much the only reason I see for reintroducing the confirmation window. There are still people out there who click 8 billion times.

Quote:

Originally Posted by Jiroxys7

Anyone who gets such notices like I do could take down the URL name, then make an NPC that opens the page for players or make a staff command for themselves that finds a specific player they dont like, then opens that page.

A point I've already discussed and dismissed. Not to mention that a confirmation window is not any kind of actual protection. It does not prevent somebody from clicking 'OK.' It does not tell them that the URL they're going to (especially if it's from tinyurl or bit.ly) is a shock site or is malicious, or whatever.

Jiroxys7 · #7 10-09-2010, 06:27 PM

Quote:

Originally Posted by LoneAngelIbesu

A point I've already discussed and dismissed. Not to mention that a confirmation window is not any kind of actual protection. It does not prevent somebody from clicking 'OK.' It does not tell them that the URL they're going to (especially if it's from tinyurl or bit.ly) is a shock site or is malicious, or whatever.

It does, however, allow the user to use their own judgement. I'm sure i wouldnt click OK on a window that says it's directing me to a URL with a completely different name than what's relating to what I'm doing (like "securetaxforms.com" or something.)

If youre implying that people wont read at least the www.<blah>.com..well, I must be one of the few that do. plus, if someone made such a system, i'd find it very fishy if a "do you want to open URL" window popped up for no reason.

Hell, if you even google "malicious website list" you'll find that the URLs on the lists look fishy. go ahead and do it. then tell me if youd honestly still click "OK" if one of those came up in a confirmation box.