Comment by lionleaf
9 years ago
Makes me quite nervous too. So far each dweet is run in a sandboxed iframe loaded from a separate subdomain.
There are definitely things you can do, and I'm aware of some annoying ones. I'll just manually delete them at this point. Any security conscious person would view it with noscript and just read the javascript ;)
While you're deleting stuff, I noticed someone on the new page has posted pornographic images. Alas, I'm not terribly surprised since this is the internet after all, but I'll +1 a feature to report dweets as being inappropriate.
A system to automatically hide dweets (for later manual review) after receiving a certain number of reports would likely solve the problem in the short term.
While you're manually deleting things... there are currently way too many that are just exact reposts of the default swaying black bars. Probably accidents rather than people being deliberately lame, but low-hanging fruit for any kind of automatic cleanup.
Why not make their javascript run in WebWorkers and provide a DOM-like interface for all the things? That way you can kill infinite loops etc.
That's something I've been thinking about. Webworkers don't have direct access to the Canvas though, but it seems like you can work around that by passing image data. Killing infinite loops would be great
how do you sandbox the iframe/code?
Using the <iframe> "sandbox" property. At least stops things like alert('hey') and a full-page redirect