Glad you all like it.
If you work on something for this long, you build up a bit of anxiety about the release.
Shattered wrote: ↑Sun Jan 20, 2019 6:35 pm
Well isn't this game changing, right when I'm in the middle of writing
I'm going to assume theres no backward compatibility, so I'll finnish this as a flashtease then get to look at Eos later?
If there is enough demand for a converter, I may make one eventually but for now please assume that converting won't be possible.
Shattered wrote: ↑Sun Jan 20, 2019 6:35 pmFirst bug report being that drag and drop doesn't seem to work in firefox but is in chrome, don't know if im missing something
Thanks for the report, I'll look into it!
kerkersklave wrote: ↑Sun Jan 20, 2019 7:50 pm
Actually, it does not only provide variables, in allows for embedded Javascript.
Have you actually written a Javascript interpreter in Javascript? Or are you using some kind of Sandboxing? (The comment that the interpreter is slow somewhere in the editor sounds like the first option).
I'm indeed using the interpreter you linked. This interpreter only supports very basic JavaScript (most of ECMAScript 5 syntax) and it doesn't provide a browser-like environment so loading JavaScript libraries usually won't work and it's not meant for that. But for some simple conditions and calculations, it's great.
MMAI wrote: ↑Sun Jan 20, 2019 9:15 pm
Please be very careful with allowing javascript - a lot of things can go badly wrong there from a privacy standpoint.
This is the main reason why it took ten years to build Eos. I rewrote it from scratch a dozen times over the years mostly because I was never happy with the security. Running untrusted code is the equivalent of trying to contain a rabid badger hulk on crack.
Using an interpreter is the safest option, but Eos actually goes much further than that.
<technical jargon="lots">
The Eos viewer runs in its own context on a different domain (eosscript.com) and communicates with Milovana using postMessage. That means that even if you can break out of the interpreter (inner sandbox), you still can't access the user's session token or any information that isn't explicitly exposed to the tease iframe (outer sandbox).
Furthermore, the Eos viewer has a Content-Security-Policy that doesn't allow inline-scripts, plugins, or loading any resources other than Milovana images and sounds. That means that even if you could otherwise break out of the inner sandbox and call "eval", the browser would reject it.
The Eos tease format is designed to be declarative, so all modules that a tease uses are defined ahead of time and the Eos outer sandbox doesn't expose any API methods associated with modules that aren't loaded. This is done in order to allow a permissioning system that's enforced by the outer sandbox. For example, suppose that we add a "webcam" module. We don't want any teases that haven't asked for the webcam permission to be able to access the webcam. With the two-layer sandbox system and declarative modules, even if somebody breaks the inner (JavaScript interpreter) sandbox, they still wouldn't be able to access the webcam because the outer sandbox would not allow it.
</technical>
I have no illusions that you can achieve perfect security. Given enough effort, anything can be hacked. But I believe that the Eos sandbox is quite strong. Just because perfect security isn't achievable doesn't mean you should never build anything. I've spent a decade making it as secure as it can be. Most other websites, even ones from large tech companies, usually use only one of the two layers of sandboxing that Eos uses. And keep in mind that the alternative right now is to download software and scripts and run them on your computer which is a lot more likely to get you hacked.
Note that some security features are only available in some browsers. If you aren't technical and you just want to know how to stay as safe as possible, use Chrome and make sure you're always on the latest version. In the future, I may add a warning to Eos if I think your browser isn't providing enough security.
kerkersklave wrote: ↑Sun Jan 20, 2019 7:50 pm
Just figured out such things already exist and you probably used one of those. Neat.
Is it possible to modify the structure of a tease using Javascript? I.e. generate new pages?
Could be great for teases that contain similar elemets over and over again, like mazes.
No, that is deliberately not allowed. This has some pragmatic reasons like making the preload engine a lot easier to reason about. (In order to stream the tease assets like images and sounds without buffering, Eos needs to be able to predict which pages the user may navigate to next.)
It also further reduces the attack surface of the inner sandbox so I feel a bit more comfortable not allowing that feature for now.
If somebody has a use case for dynamically generated pages, please let me know and I'm happy to help you think through other ways to achieve the same effect.