Java-Gaming.org    
Featured games (91)
games approved by the League of Dukes
Games in Showcase (581)
games submitted by our members
Games in WIP (500)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1] 2 3
  ignore  |  Print  
  New feature: applets?  (Read 5860 times)
0 Members and 1 Guest are viewing this topic.
Online Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Posted 2010-12-20 21:05:19 »

I've been giving this some thought, and I really can't imagine a safe way to embed applets in JGO.

The problem is that applets are allowed to connect to their 'codebase'. This rules out hosting jar files and class files on JGO, because the applet can make HTTP request to the SMF forum, having the same privileges as the member that is viewing the forum: if somebody were to open a hostile applet, it would potentially modify that member's posts on the forum. Even worse, if I were to open such an applet, it could take over the entire forum in a matter of seconds.

You could suggest we would remove the upload feature (attachments / avatars) so that people wouldn't be able to upload their jars/classes/applets there, and hence wouldn't be able to use JGO as a codebase. We would really have to disable *all* attachments, because uploading a *.jar as a *.txt, would still enable the JVM to load it as an applet.

The alternative would be to make some kind of an AppletViewer, like included with the JDK: loading the applet in an external process, in its own Frame, with a SecurityManager that basically allows nothing at all, as the codebase would be the local machine.

I might be missing something, so if you think there is a reasonably simple solution to this problem, please share!

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 70
Projects: 15


★★★★★


« Reply #1 - Posted 2010-12-20 21:11:49 »

personally, I'd rather not have embedded applets on the forum. Better to keep them in a different location or site.
Offline DzzD
« Reply #2 - Posted 2010-12-20 21:17:56 »

maybe with an IFRAME (pointing to the host Applet domain) will do the job better, no security problem and more possibilities, also Applet still sucks when they start, probably it should only start when user click on a preview image

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline bobjob

JGO Knight


Medals: 10
Projects: 6


David Aaron Muhar


« Reply #3 - Posted 2010-12-20 21:22:18 »

I like the iFrame idea, I have seen really nice implementations of applets that load once you click on an image. comes across looking very "flashy"

Somthing else to consider, it may be better if people who know what they are doing use applets anyway.
So it may work nicer if applets are embedded using a custom codebase and hosted offsite.

Another solution is an Applet within an applet, similar to the LWJGL appletLoader. but that sounds like a bit of work to setup.

My Projects
Games, Webcam chat, Video screencast, PDF tools.

Javagaming.org with chat room
Offline SimonH
« Reply #4 - Posted 2010-12-20 21:23:01 »

Seems like a can of worms to me! I'm quite happy to click on a link or a screenshot that takes me to the game.

People make games and games make people
Offline DzzD
« Reply #5 - Posted 2010-12-20 21:30:43 »

Seems like a can of worms to me! I'm quite happy to click on a link or a screenshot that takes me to the game.
as flash video it is more user friendly especially when one want to show something in a mini-applet, little game, little demo, sample...

Quote
Another solution is an Applet within an applet, similar to the LWJGL appletLoader. but that sounds like a bit of work to setup.
not that much, it is pretty trivial, here is a sample

Online Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #6 - Posted 2010-12-20 21:31:31 »

maybe with an IFRAME (pointing to the host Applet domain) will do the job better, no security problem and more possibilities
Then the applet tag would have to be hosted on that other domain... it's not like you can do <iframe src="some jar"> and expect to see an applet. Besides that, which all those browser bugs, I'm a huge opponent of hosting effectively any content inside a JGO page through an iframe. With a little bit of effort and knowledge of browser bugs, you can hijack somebodies session, or whatever.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline DzzD
« Reply #7 - Posted 2010-12-20 21:35:15 »

maybe with an IFRAME (pointing to the host Applet domain) will do the job better, no security problem and more possibilities
Then the applet tag would have to be hosted on that other domain... it's not like you can do <iframe src="some jar"> and expect to see an applet. Besides that, which all those browser bugs, I'm a huge opponent of hosting effectively any content inside a JGO page through an iframe. With a little bit of effort and knowledge of browser bugs, you can hijack somebodies session, or whatever.
It must not be possible ? cross-domain scrpting is a well know security hole usually well handled by browser, no ?

Offline kappa
« League of Dukes »

JGO Kernel


Medals: 70
Projects: 15


★★★★★


« Reply #8 - Posted 2010-12-20 21:35:29 »

Also, other then playable games there is no real reason to have an applet anywhere, ever Smiley

Something like a clone of the java4k site would be a better place to keep applet games.
Offline Karmington

Senior Member


Medals: 1
Projects: 1


Co-op Freak


« Reply #9 - Posted 2010-12-20 21:38:10 »

Since most people can make their own hosting, the main disadvantage there is that links eventually may well die. The same problem remains in linking to hosts via whatever tricks you guys might come up with.

Perhaps recommending people to put games into existing sites like GameJolt or JavaGameTome would be a solution, as that would also increase both the chances of gaining more exposure and longterm survival of the links, and since that sort of service is probably not the aim intended for launching directly from the forum.

Both activities, making your own hosting ( for the in-progress version ) and releasing to a 'publisher' of sorts once the game is playable, could be considered essential to the craft so makers should be encouraged to do both. Hosting builds basic understanding of html + how anybody can host their own stuff with a little work. Publishing gives you an idea of how hard it is to get more than a handful of people to play even passable games...

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Online Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #10 - Posted 2010-12-20 21:41:28 »

It must not be possible ? cross-domain scrpting is a well known security hole usually well handled by browser, no ?
There are specifications and implementations. The differences are bugs, of which there are many.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline DzzD
« Reply #11 - Posted 2010-12-20 21:53:31 »

There are specifications and implementations. The differences are bugs, of which there are many.
maybe in that case flash (video embeded) could not be considered secure too (I "suppose" flash plugin have bugs too ?), also links to website with signed applets should popup a scaring alert, anyway you are right there are probably others ways that are a lot more secure than IFRAME, I was just thinking it would be the most user friendly and the easiest to setup.

Offline Nate

JGO Kernel


Medals: 129
Projects: 3
Exp: 14 years


Esoteric Software


« Reply #12 - Posted 2010-12-20 22:37:52 »

Besides that, which all those browser bugs, I'm a huge opponent of hosting effectively any content inside a JGO page through an iframe. With a little bit of effort and knowledge of browser bugs, you can hijack somebodies session, or whatever.
I would argue that all forum admins are going to be using secure browsers. If some user with an older browser gets their session hijacked, the damage possible is minimal (and they deserve it Smiley).

However, many applets (even if hosted elsewhere and just linked from here) ask for full permissions and can take over your machine at that point, no matter what. If we were being paranoid about security, we wouldn't allow links to applets or JWS that ask for full permissions.

+1 for the iframe solution.

Offline erikd

JGO Ninja


Medals: 15
Projects: 4
Exp: 14 years


Maximumisness


« Reply #13 - Posted 2010-12-20 22:49:29 »

I don't think there's really a need for applets here, so I wouldn't waste time on that.
Every remotely serious developer has ways to host an applet, so links to them are just fine by me.

Online Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #14 - Posted 2010-12-20 23:00:55 »

I would argue that all forum admins are going to be using secure browsers.

...

+1 for the iframe solution.

There is no such thing as a secure browser. There are zero day exploits in every browser.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Nate

JGO Kernel


Medals: 129
Projects: 3
Exp: 14 years


Esoteric Software


« Reply #15 - Posted 2010-12-20 23:44:08 »

There is no such thing as a secure browser. There are zero day exploits in every browser.
The more important point is that it doesn't matter: as soon as you click "Yes" to the security warning, I own your PC if I wanted to. There is no need to get all nervous about iframes if you aren't nervous about that.

I don't think there's really a need for applets here, so I wouldn't waste time on that.
Every remotely serious developer has ways to host an applet, so links to them are just fine by me.
We could also just provide a zip file with instructions on the command line parameters needed to run it.  Roll Eyes

Online Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #16 - Posted 2010-12-21 00:03:34 »

The more important point is that it doesn't matter: as soon as you click "Yes" to the security warning, I own your PC if I wanted to. There is no need to get all nervous about iframes if you aren't nervous about that.
The problem is the same with unsigned applets.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Nate

JGO Kernel


Medals: 129
Projects: 3
Exp: 14 years


Esoteric Software


« Reply #17 - Posted 2010-12-21 00:14:22 »

The problem is the same with unsigned applets.
Which we do nothing about. It is normal or even expected for people to post a link to a JWS or applet that requests full permissions. Unsecure is unsecure. Might as well embed an iframe in the forum.

Offline bobjob

JGO Knight


Medals: 10
Projects: 6


David Aaron Muhar


« Reply #18 - Posted 2010-12-21 01:00:41 »

It seems that every solution has its down sides. Its just unfortunate that flash is some what seamless in comparison to Java. Whats more, It sux that applets dont have a paramater to prevent auto start.

if an applet loads another applet in a seperate classloader wont that prevent the client applet from getting access to resources outside of the classpath?

My Projects
Games, Webcam chat, Video screencast, PDF tools.

Javagaming.org with chat room
Offline appel

JGO Wizard


Medals: 49
Projects: 5


I always win!


« Reply #19 - Posted 2010-12-21 03:16:16 »

A solution begging for problems.

A good old url to the applet html page is sufficient.

My middle finger is still functional, which means I can easily open that link in a new tab and safely keep browsing the JGO forums Smiley

Check out the 4K competition @ www.java4k.com
Check out GAMADU (my own site) @ http://gamadu.com/
Offline DzzD
« Reply #20 - Posted 2010-12-21 10:28:53 »

A solution begging for problems.

A good old url to the applet html page is sufficient.

My middle finger is still functional, which means I can easily open that link in a new tab and safely keep browsing the JGO forums Smiley
it is all a matter of "user friendly", your middle finger could also work as well  to open image,source code,video in a separated window, no ?

really thinking about possible hack caused by IFRAME is strange when we links to so much signed Applet & JWS that enable "keys logging", fishing,... those are IMO a lot more dangerous in terms of security 

Offline JL235

JGO Coder


Medals: 10



« Reply #21 - Posted 2011-01-09 23:09:42 »

As far as I can tell, the only thing preventing the use of an iFrame is a 'theoretical future browser bug'. That's a silly reason to disallow this.

Online Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #22 - Posted 2011-01-09 23:12:53 »

So you would visit any website on the internet?

With an iframe, you can embed any webpage on the internet... never heard of a 'drive by attack' ?

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline JL235

JGO Coder


Medals: 10



« Reply #23 - Posted 2011-01-09 23:14:53 »

I'm not suggesting letting people embed their own content within the iframe. I'm suggesting people add the parameters they need for their applet, and then JGO generates the iframe.

To me that seems the most natural solution.

Online Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #24 - Posted 2011-01-09 23:18:05 »

I'm not suggesting letting people embed their own content within the iframe. I'm suggesting people add the parameters they need for their applet, and then JGO generates the iframe.

To me that seems the most natural solution.

What's the point of creating an iframe for an applet.. it makes no sense to embed a subdomain, because it doesn't help much for security.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline JL235

JGO Coder


Medals: 10



« Reply #25 - Posted 2011-01-09 23:21:56 »

I'm not suggesting letting people embed their own content within the iframe. I'm suggesting people add the parameters they need for their applet, and then JGO generates the iframe.

To me that seems the most natural solution.

What's the point of creating an iframe for an applet...
I believe with applets you can interact with the website they are hosted within (at least you can with NetScape browsers). So a user could potentially upload an applet that grabbed the users cookie. Placing the applet within an iFrame prevents this.

Ultimately 99% of users will just want to be able to: upload their applet and write an applet tag (which could be done via BB code to ensure it's safe).

Offline kappa
« League of Dukes »

JGO Kernel


Medals: 70
Projects: 15


★★★★★


« Reply #26 - Posted 2011-01-10 01:09:00 »

This issue IMO is one about scope and what we expect from JGO, do we want it to go as far as a full blown java games portal or remain as a simple java games related forum (or somewhere in between).

If just a forum then I see no reason why there is a need to have embeddable applets. External links work just fine, plus we have sites like Games4j.com and GameJolt.com which are both excellent hosts for such stuff. Also as of Java 1.6.0_10+ applets can access and change everything about the webpage they are on (MAYSCRIPT no longer does anything) and it'll just be an extra annoyance since you can do stuff like add background music to pages, open pop ups, etc.

If however the intention is to move closer towards a games portal then I'm all for having applet support and stuff like community voting on games, etc.
Offline zammbi

JGO Coder


Medals: 4



« Reply #27 - Posted 2011-01-10 01:20:51 »

I don't think the forum should host applets. Who cares if the link breaks.
I think the applets bb code (or w/e) should be restricted to the first post and only on the showcase areas.
If someone is changing the forum looks with applets then delete the post and ban the user if needed.
Add JavaScript loading of the applet for people who don't like applets starting straight away.
You could also make it so users with X+ amount of posts or appreciation can post applets.

Current project - Rename and Sort
Offline JL235

JGO Coder


Medals: 10



« Reply #28 - Posted 2011-01-10 04:19:38 »

It's much more streamlined if people can host (or at least embed) their applets here.

Also as of Java 1.6.0_10+ applets can access and change everything about the webpage they are on
Again wrapping the applet within an iframe will prevent this.

From the impression of the posts above security seems to be the main reason this won't ever be built, but I still fail to understand what these security concerns are.

Offline bobjob

JGO Knight


Medals: 10
Projects: 6


David Aaron Muhar


« Reply #29 - Posted 2011-01-10 08:36:12 »

You could also make it so users with X+ amount of posts or appreciation can post applets.

I think this is a great idea, it should filter alot of potential problems, even as far as people not testing applets on the main OS's. because you always get Mac developed applets crashing on windows, and visa versa. It would be nice, if its just the more experienced users contributing to a streamline JGO.

My Projects
Games, Webcam chat, Video screencast, PDF tools.

Javagaming.org with chat room
Pages: [1] 2 3
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

xsi3rr4x (63 views)
2014-04-15 18:08:23

BurntPizza (61 views)
2014-04-15 03:46:01

UprightPath (74 views)
2014-04-14 17:39:50

UprightPath (57 views)
2014-04-14 17:35:47

Porlus (75 views)
2014-04-14 15:48:38

tom_mai78101 (100 views)
2014-04-10 04:04:31

BurntPizza (160 views)
2014-04-08 23:06:04

tom_mai78101 (255 views)
2014-04-05 13:34:39

trollwarrior1 (208 views)
2014-04-04 12:06:45

CJLetsGame (215 views)
2014-04-01 02:16:10
List of Learning Resources
by SHC
2014-04-18 03:17:39

List of Learning Resources
by Longarmx
2014-04-08 03:14:44

Good Examples
by matheus23
2014-04-05 13:51:37

Good Examples
by Grunnt
2014-04-03 15:48:46

Good Examples
by Grunnt
2014-04-03 15:48:37

Good Examples
by matheus23
2014-04-01 18:40:51

Good Examples
by matheus23
2014-04-01 18:40:34

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:22:30
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!