[vlc-devel] commit: Don't ignore-config on the webplugin (Jean-Baptiste Kempf )
Kaloyan Kovachev
kkovachev at varna.net
Fri Oct 2 11:32:21 CEST 2009
Hello,
isn't it possible to have separate config/section for the web plugins with
only the safe options?
On Fri, 02 Oct 2009 11:26:14 +0200, Anthony Loiseau wrote
> Hi,
>
> As some of you may already know (well, maybe not :)), I think allowing
> the config file usage helps in using web plugins (ActiveX+mozplugin).
>
> Users who use web plugins often tweak a bit their VLC config in some
> ways. Example I have in mind are close to those listed by j-b
> (deinterlacing, overlay, ffmpeg-skiploopfilter, fullscreen screen).
>
> I think most users who are not aware of web plugins security have
> default config file, which is safe I hope. But yes, most is not all.
>
> Reading my config file, I can see one thing but I don't think it is
> activated in web plugins (disable-screensaver=1 which is often not
> wanted in web plugins). I don't see dangerous options activated and I
> think most users don't have them activated (like a permanent sout for
> exemple).
>
> With the fact that the config file can not be modified using the web
> plugins (of course), and if you fear the config file usage, maybe we can
> think of an option to block or not config-file usage for restricted
> interfaces?
> I don't think it is needed and we will cross the fact that we need to
> parse the config file to know if we should use it. It can however allow
> end users to activate config-file usage in web plugins in case you fear
> to allow it as default.
>
> Apart from this, we can also add a property to the web plugins like
> allowConfigFile=bool for web users who explicitly don't want to load the
> config file to have more control on what the plugin is actually doing.
> (parameter to add as attribute in the HTML tag - for the web usage)
>
> - I can propose a patch for a "allowConfigFile" webplugin property.
> - I don't know how config are loaded, so not very skilled to implement a
> "forbid-config-usage-in-restricted-environment" option, if most agrees
> to fallback on this idea instead of always allowing config-file.
>
> Regards,
> Anthony
>
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> http://mailman.videolan.org/listinfo/vlc-devel
More information about the vlc-devel
mailing list