Getting HTML5 going
ahsoftware at sonic.net
Wed Mar 25 17:23:38 EDT 2020
On 3/25/20 1:58 PM, Mark Waddingham via use-livecode wrote:
> However there are two rules which must be followed:
> 1) Downloaded code must not allow the app to access any more system
> provided APIs that it could before.
> 2) Downloaded code must not allow the app to 'morph' (as Richard put
> it) into something even slightly unrelated to what it was at the point
> of review; nor should it add significantly different features
> (particularly in terms of UI).
> In practice conforming to (1) is easy - you aren't allowed to download
> LCB extensions, loading them at runtime, which use FFI to access system
My reading of 1) is that LCB extensions that use FFI are allowed as long
as they don't expand the attack surface by introducing new system api
calls that the app doesn't already use.
But then I'm not in a position to make, review, or enforce those rules.
ahsoftware at gmail.com
More information about the use-livecode