I don't think Minetest has much of a chance, it always felt like a loose group of programmers making a game engine rather than game designers creating a game. At least when I last tried it, it was completely devoid of any features to improve the game feel, everything (movement, camera movement, animations, mining, etc) just felt like a soulless "technically correct" implementation that a programmer without artistic vision would come up with.
For the "Chords", start with just Red and Blue. Then add Yellow.
I don't have perfect pitch, and I could not distinguish between Red and Blue, when Yellow was in the mix and the feedback sounds interrupted the trials.
Black and Green were much easier for me to differentiate, but Red / Blue is really difficult.
You can protect it with CSP headers, but you can't also protect it with the sandbox="" attribute (should a user visit it directly)
If you want both sandbox= restrictions and CSP headers at the same time the only way I've found that works cross all major borders is the iframe plus srcdoc="" with injected CSP meta headers patterns.
Note that a lot of sandbox implementations serve their iframe content from a separate domain, to ensure cookies and localStorage and other same origin things are robustly protected.
I can't do that easily for Datasette because it's open source software that people can run on their own laptops, so I didn't want to block people on "now register a domain/subdomain and set this up in DNS".
CSP is optional and designed to be one part of a defense-in-depth strategy (to extent that it was thoughtfully designed at all—it's an awful standard that should not have made it past proposal stage). It's not a solution for sandboxing untrusted content and should not be relied upon that way. Treating it like one is a great demonstration of how some uses of CSP make people more vulnerable.
Right, which is why I'm combining it with <iframe sandbox=""> - which really is designed to be used as a sandbox (if you can figure out the right way to implement it.)
> <iframe sandbox=""> - which really is designed to be used as a sandbox
Not for untrusted content living on the same origin to prevent it from exercising any of the powers that it would ordinarily have to be able to access sensitive data. It's a misleading name and shouldn't have been chosen. There is no combination of CSP or the iframe sandbox attribute that can be relied upon for that purpose. This is a fundamental limitation of the way the specs were written.
(There needs to be a big warning about this on MDN, but moving from the old wiki to a wiki with GitHub for login to the GitHub-based pull request process really didn't help the there's-a-problem-on-this-page-but-limited-resources-to-make-things-better problem.)
That's why I'm careful not to include allow-same-origin in the sandbox attribute - without that the iframe content is treated as a separate origin from the parent.
And I serve the content in srcdoc= to ensure there's no URL a user can visit which would directly execute the content outside of that iframe sandbox.
If that's true then my project is fatally flawed and I need to stop distributing it.
I'm not convinced it's true - I've been thinking about this for months, and building experimental prototypes to help me get to the combination that I think makes sense.
Can you describe an exploit that the combination I'm using of iframe sandbox= srcdoc= with an injected meta CSP tag doesn't handle?
Would moving the untrusted content to be served from a separate domain entirely close the hole?
(In case it's not clear the iframe sandbox= is the bit that's doing most of the work here - the CSP stuff is there mainly to protect against malicious apps that deliberately exfiltrate stolen private data.)
reply