World: r3wp

Graham, you want a p2p relay in a webbug?

Allen, Javascript has even more restrictions on its network abilities 
than Flash.

I think you guys ought to trust what BrianH is saying a little more. 
I throw all my support behind what Brian is saying here, and I also 
think there are a lot of things being repeated which have already 
been explained several times. I like the current direction the plugin 
seems to be heading.

Security is cool to have, just please keep in mind one thing - let 
it be Rebol, not anything else. So, if I am able to store my stuff 
with Rebol, I want to be with plug-in, or it is not rebol for me 
anymore. Then I expect *-thru functions at least, to use browser 
cache at least. That thing I may regard as decided, as Anton says, 
we should support Brian with secure way.

Other thing, however, is - how far we go? Thinking in that manner, 
we can easily end up with conclusion, that we should use ONLY browser 
networking capabilities - once again - that is not rebol for anymore. 
On one hand, we would like browsers SSL to be used (imo only because 
rebol itself is badly missing here), on other hand - who wants to 
give-up rebol networking? I can understand it eventually makes sense 
security wise, as who wants your plug-in to open tcp listen port 
on your machine? I see it imediatelly as similar problem to local 
file storage (although eventually catched by firewall)

although some storage for graphics-heavy things would be nice.

If you drop some flash you can have 10mb of storage without permission, 
and 100mb with.

I'm completely supporting Brian here too. REBOL is not popular enough 
to even remotely risking someone writing malware with it. All the 
anti-virus software in the world is just going to block REBOL if 
this happens.

yup....

I'm late to the conersation, but I'm backing Brian too.

The plugin arena is not the desktop arena, and extra special rules 
must apply.

agreed. after all, if they want more, they can download the real 
app. but can have a quick first view by plugin.

Wow, good discussion.

Regarding security: we are on the same page. We haven't finalized 
the final security plan (we're hoping to get a draft plan doc up 
soon)....but a key component of the overall plan is something we're 
calling "Trusted Scripts", which is an infrastructure for signing 
scripts to enable licensing, rsponsibility (who made this script), 
lower security settings (again, for signed scripts only), and /Pro 
features.

Default security model: Yes, this will be tight. Completely agreed 
here.

The cookie/cache idea is interesting. Need to think on that one a 
bit.

Here's a few components of Trusted Scripts (this is only a draft 
-- open for feedback):
	* Default security model is tight -- how tight is TBD.

 * Developers that want to take advantage of Trusted Scripts, i.e. 
 to lower security for a production app, first must buy a license.key 
 from RT.

 * license.key unlocks  "features" and "permissions". Features are 
 things like encryption within the script. Permissions include file 
 sandbox, domain restrictions, dll loading permissions, etc.

 * license.key will contain contact info, so we can track down the 
 author of a malicious signed script if necessary.

Sounds in line with sdk: features for money. and you get some identity-check 
by money, good too. But you need something for the user to know what 
he is going to use. with url that is simple: stuff on this page. 
with signing its quite obfuscated. Shall i allow everything which 
RT gives a thumb up? Or are certicitates hardwired to domains?

Volker, good point. We may also provide a certificate verification 
dialog, i.e. "Joe Shmo from company XYZ produced this verified REBOL 
script. Would you like to allow it to run?" or something to that 
effect....I'm not positive here....just tossing ideas out there.

who provides verification?

REBOL Technologies.

do they have time and resources to sift through thousands of expertly 
crafted scripts per day? (just being positive about a future scenario 
:-))

We would not be verifying the script itself, we would be verifying 
the publisher. If the publisher signs a malicous script, we have 
detailed contact info to track him down.

That is the model used today in Authenticode and other code-signing 
technologies.

http://www.rebol.com/plugin/web-plugin-install.htmlJosh, it that 
URL really supposed to auto load the plug-in? I'm getting an error 
when it actually tries to install it.

We're, uh, working on that now :)

Are you running FireFox?

Great. Thought it was me. Yes, FF

Yes, we're looking into that now.

No problem. Thanks.

Actually, pg-2 is not working in IE either. However, it seems to 
go farther; I see a box where the app should  appear but no app.

james, in IE, do you see the information bar at the top of the page 
requesing your permission to install the plugin?

In IE no. FF, yes, but install fails.

We are pleased to announce a new release of REBOL/Plugin. This release 
includes several new features, including:

 * Multiple instance support -- you can now have up to 5 instances 
 within one IE process.

 * Automatic updating -- after this release, backwards-compatible 
 updates will come automatically with user consent (no uninstall required).
	* Smooth install for FireFox and Mozilla.org-based browsers

 *Now compatible with Opera and all Mozilla browsers compatible with 
 npruntime. 
	*do-browser now functions in Mozilla.

It might be me. Let me uninstall first. I did this in FF but not 
IE. Hold on...

To install the new plugin, please follow the steps listed at http://www.rebol.com/plugin/install.html.

Note: You MUST remove previous versions of the plugin before installing 
the new plugin. Please follow the steps in the above install guide.


Also, FireFox/Mozilla users: You MUST add rebol.com to your list 
of approved software installation web sites. Again, please follow 
the steps in the above install guide.

Please post feedback to this group. We'd  love to hear your what 
you think!

James, please see the instructions in the install guide related to 
uninstallation of previous versions and adding rebol.com to your 
approved sites list.

Well, so far IE is a no go here. I closed all IE and deleted the 
files. At this point it just goes to the install page and I see the 
"blank" box.

Win 2000 Pro OS btw if that matters.

Works well here with IE (after uninstalling previous plugin version). 
(WinXP SP1)

Click here to find out why
 links to a page which says that only IE is supported

Yeah I saw that and thought, "Oh, that's why."

Back. Thought I would reboot to see if that had any effect. None, 
sad to say.

Well, I went back to FF and added rebol.com. This time it downloaded 
the plugins (2 files, viewdll.dll and nprbmzpl.dll) and screen changed 
slightly in that I no longer see all of the white box that is supposed 
to be red and blue. It is cut off on the top.

Is there a method for IE to allow sftware installs like that of FF?

Josh, would you be open to providing files so I can manually install 
and verify that it works once loaded.

Is the plugin served from an HTTPS site? It would be nice to avoid 
man-in-the-middle attacks. I'm always a little wary of putting non-SSL 
sites on the trusted sites list.


For that matter, when you have one site serving the html and script, 
and another serving the plugin, which site needs to be trusted, as 
far as the major browsers are concerned? I would think just the plugin 
serving site, but I don't quite remember right now...

My main desktop system is running Windows Server 2003 with the browser 
security settings enabled. It prohibits any ActiveX controls from 
running in IE at all unless they come from sites on the trusted list. 
It won't even give you the option unless you turn off the browser 
security.

Needless to say, this makes me much more comfortable with using IE, 
but it isn't really practical. So I use Firefox.

However, it does render IE safe enough to browse shady sites.