So, continuing from the Friday conversation, and from @thoys reminding us that this can be abused. I will push this up for more visibility.
This Issue has been around for quite a while, but lets discuss it that it doesnt get forgotten again. It would be preferable that this is addressed before we bring more attention to our self through platforms such as steam.
To those uninitiated, the issue stems from the MyAvatar Object. Any Entity with a script on it can manipulate it, without any interaction required for the entity. Additionally we have no way of identifying who made the entity, or added the script to the entity.
This means anyone could technically make a mass orbiter without anyone being able to identify who caused it in the first place. This is basically a griefer’s paradise. Sure its been earlier discussed than intention is for the domain owners to control who places what, but completely making it impossible for anyone to rez anything even temporary should not be plausable, .
So lets make some suggestions on this thread on how to curb tail this, without going beyond of what could be possible:
###Here is my suggestion:
There should be two tiers of scripts:
- Authored Scripts / Trusted Scripts: Able to modify MyAvatar properties. Works like it does now.
Passive Scripts: Scripts which the user has loaded, but not necessarily interacted.
They can access most MyAvatar properties, but cannot modify any of them.
Lets expand on this.
Authored Scripts are scripts that are loaded from Domain trusted sources. By default, atp source, hifi market (released scripts) are trusted. Meanwhile a custom domain / path are added by the domain owner’s discretion.
This could just a unmodifiable boolean value that the domain determines when it gives out the entity tree to the clients, depending if the scriptUrl matches a whitelist of the domain…
If this boolean value is true, any script running on that entity, can automatically have access to the MyAvatar object.
They can also use Script.load liberally.
Trusted scripts would be scripts the user has interacted with: Specifically grabbed, or clicked on, but through no other means. When a user interacts with something, it should be enough of a “permission” for the object to have access to modify some of the users info, such as rotation, velocity, position. However as soon as the object is unequipped or the click is release, it no longer should have access to modifying the MyAvatar setting.
These however should not have Script.load access, without first asking the user to do so.
Passive scripts are scripts that arent trusted or authored by the domain. They work pretty much as they do now, however: They shouldnt be able to modify the MyAvatar object.
Thats my 2 cents.