World: r3wp

Looks like Volker covered the security issues I'd note.  About Rebol 
as a COM server process--I would think that would be the way to go. 
 Pretty sure that is how Acrobat runs, too.  Basically, the first 
time you run into a PDF on the web Acrobat32 starts, and handles 
all instances.

To disallow send properly means a mini firewall.  If you disallow 
SEND, script implements its own function. If you remove smtp scheme, 
script implements its own smtp scheme. Therefore, you have to get 
it at the root, which is to block outgoing tcp on port 25.

hmm, blocking port 25? What if I am a hacker and I run smtp on purpose 
on different port? ;-)

let's hope hackers are very stupid then :-)

That mini-firewall is in my secure-proposal:  secure [net ask tcp://rebol.com 
allow].

Although securing ports would be nice too, secure [net ask tcp://rebol.com 
80 8080 - 9090 allow].

Be carefull with restricting Rebol. I like Rebol, because I can simply 
do things, which I cannot do in other apps. I cannot believe, that 
Maxim wants to remove send even from Rebol and replace it with some 
application. Why? Do I need xxMB large aplication just to send message? 
What will be better in Rebol than in Flash, if you remove the best 
parts of Rebol?

Because you run in the browser now and spy/adware/spammers will love 
rebol without such things.

Oldes, it should be a different word yes. every plugin does not send 
mail directly, they prepare the mail. it is what user expects.

With exe people run rebol intentionally (although /desktop goes in 
the other direction). With plugin user goes to a web-page and webdesigner 
turns that into a rebol-page without notice.

I agree, that some security is needed, but just want to say, not 
to give everything away just because there may be one bad guy

I ask once again - isn't it possible to send email using javascript 
and getting into browser settings?

we must not view rebol in the browser as a means to distribute any 
apps.   I also think the plugin should have a complete control panel 
which allows user to choose from "allways/ask/never" for every sensitive 
aspect.

If that is possible the browser is severely broken.

Rebol as a plugin is here more then 2 years. It was plenty of time 
to do evil things

It is *here*, but not *everywhere* as flash is.

First thing what should be done is better security request window

Security extension, yes, removal of something - hehe, how uneducated 
imo :-) Is smtp so difficult to build? Having tcp socket is dangerous 
already, as I can build my custom smtp in script, and have server 
at the other end of the country, which listens on 8080 and doing 
smtp ....

The current security window is almost useless as I never see the 
directory I'm dealing with

I agree oldes, and we cant "remember" specific directories!

Pekr, you can not build smtp if the sandbox does not let you connect 
to a mailserver.

Maxim - I do agree about unificed control panel icon options, as 
Java does - I would hate thousands of messy dialogs for xy features 
which pop-up-I-don't know-when :-)

or tcp ports, or URL roots...

And a good sandbox lets you connect only to your homeserver, where 
the reblet comes from.

Volker - Volker - how do you distinguish mailserver?

url.

And I'm sure, you will not be able send emails from my browser as 
I don't remember that I allowed to use such a port to any application

You can also run a mail-server on the machine where you host the 
reblet, then send works.

Without that restriction rebol is a perfect tunnel through firewalls. 
Connect to home, connect to localhost/something inside lan too, have 
fun.

I would like extending security dialect ..... but for setttings, 
I do prefer control-panel ... becuase there will be probably many 
settings :-)

Volker: And what's bad on connection to home?

OTOH users want to send emails. But with their own trusted app, not 
with a high-performance hidden 'send. So 'send should pop up that 
mailer IMHO.

with browser - you can connect to whatever port too, no? It allows 
for url schema, so localhost:1234 is valid too .... just a http scheme, 
but ...

I want both. Settings are in %user.r, by secure. And %user.r is modified 
by the panel. As it is currently with 'set-net and /desktop.

that starts to make things like plug-in impossible, if we go "let's 
use only browser networking" route ....

No, browsers have an inbuild firewall. look for cross-site-scripting.

I do my own app, on puprose, and browser mailer pop-ups? Uh, that 
should be optional at least ....

Flash does not work? YOu have full networking to your own server, 
what else do you need?

what if I dynamically build my-send function?

Who receives your mail?

Url blocked -> no mail.

I am for domain restricting/sandboxing, not for features change, 
so that send would pop-up browser etc kind of things ... not sure 
it is manageable .... then reading http should use browser too?

Volker - probably misunderstanding, sorry ..

And mail is critical IMHO. Its on account of the sender in the eyes 
of most people, even if one just fakes the from. If you can that 
from users machine, you have even the right headers.

Ah, yes, misundeerstanding.

The urls are blocked so you can not reach a "legit" mail-server so 
you can not 'send.

But sending mail is needed for feedback itc, its stupid if it can 
not be done. SO we need 'send, but not access to the needwork. So 
another app, which shows text, requests agreement. So, why not users 
emailer?

browse "mailto:[oldes-:-somewhere-:-cz]"

I think, that the mini firewall is only possible solution, but I 
don't know, how difficult it will be to implement

But let the networking in, it's the best thing in Rebol. I'm using 
plugin only as a IRC. I really don't know if it can be compared with 
Flash so someone would make stupid banners in Rebol

Its not the banner, its somebody doing irc from your ip while showing 
you banners.