[vlc-devel] commit: Don't ignore-config on the webplugin (Jean-Baptiste Kempf )

[Anthony Loiseau]

Hi,

As some of you may already know (well, maybe not :)), I think allowing
the config file usage helps in using web plugins (ActiveX+mozplugin).

Users who use web plugins often tweak a bit their VLC config in some
ways. Example I have in mind are close to those listed by j-b
(deinterlacing, overlay, ffmpeg-skiploopfilter, fullscreen screen).

I think most users who are not aware of web plugins security have
default config file, which is safe I hope. But yes, most is not all.

Reading my config file, I can see one thing but I don't think it is
activated in web plugins (disable-screensaver=1 which is often not
wanted in web plugins). I don't see dangerous options activated and I
think most users don't have them activated (like a permanent sout for
exemple).


With the fact that the config file can not be modified using the web
plugins (of course), and if you fear the config file usage, maybe we can
think of an option to block or not config-file usage for restricted
interfaces?
I don't think it is needed and we will cross the fact that we need to
parse the config file to know if we should use it. It can however allow
end users to activate config-file usage in web plugins in case you fear
to allow it as default.

Apart from this, we can also add a property to the web plugins like
allowConfigFile=bool for web users who explicitly don't want to load the
config file to have more control on what the plugin is actually doing.
(parameter to add as attribute in the HTML tag - for the web usage)


- I can propose a patch for a "allowConfigFile" webplugin property.
- I don't know how config are loaded, so not very skilled to implement a
"forbid-config-usage-in-restricted-environment" option, if most agrees
to fallback on this idea instead of always allowing config-file.

Regards,
Anthony