World: r3wp

First thing what should be done is better security request window

Security extension, yes, removal of something - hehe, how uneducated 
imo :-) Is smtp so difficult to build? Having tcp socket is dangerous 
already, as I can build my custom smtp in script, and have server 
at the other end of the country, which listens on 8080 and doing 
smtp ....

The current security window is almost useless as I never see the 
directory I'm dealing with

I agree oldes, and we cant "remember" specific directories!

Pekr, you can not build smtp if the sandbox does not let you connect 
to a mailserver.

Maxim - I do agree about unificed control panel icon options, as 
Java does - I would hate thousands of messy dialogs for xy features 
which pop-up-I-don't know-when :-)

or tcp ports, or URL roots...

And a good sandbox lets you connect only to your homeserver, where 
the reblet comes from.

Volker - Volker - how do you distinguish mailserver?

url.

And I'm sure, you will not be able send emails from my browser as 
I don't remember that I allowed to use such a port to any application

You can also run a mail-server on the machine where you host the 
reblet, then send works.

Without that restriction rebol is a perfect tunnel through firewalls. 
Connect to home, connect to localhost/something inside lan too, have 
fun.

I would like extending security dialect ..... but for setttings, 
I do prefer control-panel ... becuase there will be probably many 
settings :-)

Volker: And what's bad on connection to home?

OTOH users want to send emails. But with their own trusted app, not 
with a high-performance hidden 'send. So 'send should pop up that 
mailer IMHO.

with browser - you can connect to whatever port too, no? It allows 
for url schema, so localhost:1234 is valid too .... just a http scheme, 
but ...

I want both. Settings are in %user.r, by secure. And %user.r is modified 
by the panel. As it is currently with 'set-net and /desktop.

that starts to make things like plug-in impossible, if we go "let's 
use only browser networking" route ....

No, browsers have an inbuild firewall. look for cross-site-scripting.

I do my own app, on puprose, and browser mailer pop-ups? Uh, that 
should be optional at least ....

Flash does not work? YOu have full networking to your own server, 
what else do you need?

what if I dynamically build my-send function?

Who receives your mail?

Url blocked -> no mail.

I am for domain restricting/sandboxing, not for features change, 
so that send would pop-up browser etc kind of things ... not sure 
it is manageable .... then reading http should use browser too?

Volker - probably misunderstanding, sorry ..

And mail is critical IMHO. Its on account of the sender in the eyes 
of most people, even if one just fakes the from. If you can that 
from users machine, you have even the right headers.

Ah, yes, misundeerstanding.

The urls are blocked so you can not reach a "legit" mail-server so 
you can not 'send.

But sending mail is needed for feedback itc, its stupid if it can 
not be done. SO we need 'send, but not access to the needwork. So 
another app, which shows text, requests agreement. So, why not users 
emailer?

browse "mailto:[oldes-:-somewhere-:-cz]"

I think, that the mini firewall is only possible solution, but I 
don't know, how difficult it will be to implement

But let the networking in, it's the best thing in Rebol. I'm using 
plugin only as a IRC. I really don't know if it can be compared with 
Flash so someone would make stupid banners in Rebol

Its not the banner, its somebody doing irc from your ip while showing 
you banners.

If you host the reblet from your irc-server, its no problem. Else 
the user needs to bless you explicitely, like with noscript.

I thin, Josh should read some doc about Flash security: http://www.adobe.com/devnet/flash/articles/fplayer_security.html

And hopefully that control-panel is more verbose than the current 
requester. And offers good informations about the effects.

BTW. In the latest Flash versions, you can use ports lower than 1024 
(if you allow it) - It was not possible before.

http://www.adobe.com/devnet/flash/articles/fplayer8_security.html

The plugin *needs* to be highly restricted by default. Please scroll 
up to the top of this group where BrianH and others made some fine 
points about security.

but system dialogs are half-way solutions - 1) they can't be translated 
2) they are ugly and do not copy design principles of your apps .... 
stating that - is there a secure way of how to overcome this? Could 
you provide your own UI and supply it for the internal security system? 
Probably not, as I could ask user completly different question :-(

1) They can be translated.
2) They are a necessary evil.

I want ability to integrate into my app logic, not nasty looking 
UFO stuff ...

I like that ugly and different. Tells me i am not working inside 
the app. Because inside the app, if it asks me "Do you like [x] please?" 
i click yes, whatever [x] is. Its in a sandbox, no?

haven't you meet yourself with requester, which asked for permission 
for file e.g., where path was cut-down? That is the same like no 
requester at all ...

If I can't control the plugin, Petr, I am not going to install it. 
I'm not going to develop for it, because there will be no reason 
why anyone will trust it. Well, you will be able to do that. Perhaps 
in a separate version of the plugin which might come later.

Yes, that is a bug.

I am not saying "windows message box".

Heck, what kind of argument is that, Petr ?