| Pages: 1 2 3 :: [one page] |
| Author |
Thread Statistics | Show CCP posts - 5 post(s) |
|
CCP Fallout
   |
Posted - 2011.03.31 13:00:00 -
[1]
Changes are afoot with our in-game browser, and CCP Orion's newest dev blog gives us the scoop. Read all about the new functions currently being tested on Singularity here.
Fallout
Associate Community Manager
CCP Hf, EVE Online
Contact us |
|
Jamaican Herbsman
I Love You Mary Jane
|
Posted - 2011.03.31 13:06:00 -
[2]
again first
Technobabble to me
|
Insert Your Name
|
Posted - 2011.03.31 13:15:00 -
[3]
oO
|
Patient 2428190
DEGRREE'Fo'FREE Internet Business School
|
Posted - 2011.03.31 13:37:00 -
[4]
So I could make a webpage that would contract all your stuff to me?
...Then when you stopped to think about it. All you really said was Lalala. |
Ms Michigan
Gallente
Aviation Professionals for EVE
|
Posted - 2011.03.31 13:48:00 -
[5]
 Originally by: Patient 2428190
So I could make a webpage that would contract all your stuff to me?
Yeah that was exactly my thought too. Or give them all my money.
I am no computer sci genious (all this IGB trusted stuff is new to me) but my first experience with this was the other day with the website staticmapper.com. You can trust it and it will share the anomolie bookmarks with your corp in a wormhole or solar system.
I had NO idea websites could pull data from the user unless it was inputted (besides seeing your IP address). Not sure I am liking this. It is ok if you trust the place but don't accidentally do it. YIPES
|
Master Gotama
|
Posted - 2011.03.31 13:57:00 -
[6]
FYI, not every eve player is a web developer. have no idea what this means or why i should be excited. but i guess that may have been the point, heh.
|
Jowen Datloran
Caldari
Science and Trade Institute
|
Posted - 2011.03.31 14:01:00 -
[7]
Am I spotting a potential risk of "trusting" a website due to beeing offered some usabale functionality while the website use the same access to pull other information/do other tricks?
--
Mr. Science & Trade Institute - EVE Lorebook - Mysteries of W-space |
Arkady Sadik
Minmatar
Electus Matari
|
Posted - 2011.03.31 14:04:00 -
[8]
Thank you!
It would be really nifty (for automated address book updates) to have a javascript function that adds a contact fully, with tags etc. So something like
CCPEVE.addContact(12345678, +10, ['Diplomat']);
|
Razin
The xDEATHx Squadron
Legion of xXDEATHXx
|
Posted - 2011.03.31 14:08:00 -
[9]
All cool stuff I'm sure!
But when is the IGB going to start behaving a little more like a regular browser? Like having a text search function, or keeping the vertical location on a page when using the "back" or "forward" functions? Would also be nice to be able to organize the links with sub-folders and the sorting options.
Oh yeah, and matching the IGB scroll bars with the rest of in-game UI would be great.
...
|
Martc
Quondam Souls of the Universe corporation
R.A.G.E
|
Posted - 2011.03.31 14:28:00 -
[10]
I see big security issue. Should be more trust levels, one for not harmful function and second for rest. I dont want to see my route planner sending email or selling my items.
|
Internet Knight
The Kobayashi Maru
|
Posted - 2011.03.31 14:30:00 -
[11]
Edited by: Internet Knight on 31/03/2011 14:30:52
Nice devblog about tech stuff. I like tech stuff.
I think it's funny that we're talking about web stuff but Orion (or, whoever runs the blogs?) doesn't know how to summarize a blog for the blog list.
Funny indeed.
Also, cookies. I like cookies. Coconut oatmeal are my favorite.
---
|
andeira
|
Posted - 2011.03.31 14:36:00 -
[12]
So if I understand this correctly I can make a website and get some idiot to accept it as a trusted site and then I can make this site contract all his **** to me trough javascript?
If I can do this I will love you forever
-------------
Originally by: Stitcher
For frak's sake, it took millions of years of evolution for that brain to get inside your skull, would it kill you to actually USE the damned thing?
|
Turelus
22nd Black Rise Defensive Unit
|
Posted - 2011.03.31 14:39:00 -
[13]
I have no idea what any of that means :P
IBC
|
|
CCP Orion
|
Posted - 2011.03.31 14:54:00 -
[14]
Originally by: andeira
So if I understand this correctly I can make a website and get some idiot to accept it as a trusted site and then I can make this site contract all his **** to me trough javascript?
If I can do this I will love you forever
Well, sorry to disappoint you, but no  . The IGB is only a substite/enhancement to the current menu system. The createContract function for example only opens the contract dialog with the specified items and type pre-selected.
|
|
Callic Veratar
|
Posted - 2011.03.31 14:56:00 -
[15]
I'm still hoping for Middle Click to open a new tab. The lack of that feature makes me sad.
|
Galen Kamari
Gallente
Pelican.
Violent Entity
|
Posted - 2011.03.31 15:21:00 -
[16]
Originally by: Patient 2428190
So I could make a webpage that would contract all your stuff to me?
I haven't had time to play with it yet since Fanfest, but as I recall the contract panel is still displayed: it's not an entirely automated process, there's just a little less clicking.
Originally by: Ms Michigan
Yeah that was exactly my thought too. Or give them all my money.
The money transfer idea was floated during a Dev Track session but not confirmed. There were some hesitations about it, but I'm sure it too would still require confirmation just as if you'd opened the window yourself. The scripted route would just save you the trouble of finding the person/corp in question through People & Places (or whatever).
Originally by: Ms Michigan
I had NO idea websites could pull data from the user unless it was inputted (besides seeing your IP address).
Without entering your API key, there's very little information that can be gleaned about a player from the API. Just the basics. Trusting a website doesn't give a site a great deal more, though it will expose where you are and what type of ship you're flying with these updates; the former can be found with locator agents anyway.
Originally by: Jowen Datloran
Am I spotting a potential risk of "trusting" a website due to beeing offered some usabale functionality while the website use the same access to pull other information/do other tricks?
The list of exposed information is listed in the Dev Blog, and giving out your API key isn't trivial unless you don't read anything on that page.
Originally by: Razin
But when is the IGB going to start behaving a little more like a regular browser? Like having a text search function, or keeping the vertical location on a page when using the "back" or "forward" functions? Would also be nice to be able to organize the links with sub-folders and the sorting options.
Oh yeah, and matching the IGB scroll bars with the rest of in-game UI would be great.
The version of Chromium is going to be updated which might well introduce those features: I'm not familiar with the engine myself. As for UI matching, there were some interesting ideas around skinning floated around at Fanfest, so things of that nature have been discussed.
Originally by: Martc
I see big security issue. Should be more trust levels, one for not harmful function and second for rest. I dont want to see my route planner sending email or selling my items.
Plans for customised access levels, including time-limited keys, were announced. I'm sure there'll be a blog about it soon enough.
|
Pallaxia
|
Posted - 2011.03.31 15:42:00 -
[17]
Very nice. Session-change callback, please? |
Somerset Mahm
Somer's Omnibus Exploration and Reclamation
Cognitive Distortion
|
Posted - 2011.03.31 15:43:00 -
[18]
Some great steps, such as auto-populating a mail. That saves me quite a few steps.
Would love to see the aforementioned Give Money function (.giveMoney(amount, charID, reason=None)) that pre-pops that window. Would need to prevent it from being fired without a manual interaction (like a button click) probably.
I'd also hope for a couple enhancements on the new functions:
addContact(charID, standing=None, note=None) # let standing be set immediately
addContacts([charIDs], standing=None, note=None) # allows for bulk adding of contacts
createContract(contractType, charID=None, station=None, itemIDs=None) # allow specification of target character
---
SOMER Lotteries
SOMER Blink - new!
SOMER Escrow Services |
Two step
Aperture Harmonics
K162
|
Posted - 2011.03.31 15:44:00 -
[19]
I would gladly trade all of this new stuff for a give money call. Have it pop up the give money dialog, make sure that cancel is the default, and maybe even make it so the OK button is disabled for 2 seconds. This would save a lot of corps a huge amount of time and effort.
A couple other requests:
1) How about the current ship's fittings in the shipid format in one of the headers?
2) We still really really really need some what of authenticating the IGB headers. This is all doable with some API work, and would be very useful.
3) Any chance we could also get an unique per-account id (not the username) in the headers?
It is great to hear that work is still being done on the IGB, it is a very useful tool.
Two step for CSM6 - http://twostep4csm.blogspot.com/ |
Sentient Blade
|
Posted - 2011.03.31 15:57:00 -
[20]
A few things, based on experience developing integrated websites for other environments, although I haven't looked into EvE's much.
1. Needs a chat shortcut to call functions upon the page, typically this would have a given prefix such as /igb which would invoke onPlayerMessage([object] playerInfo, message).
"/igb note Enemy sighted"
2. The IGB has a bit of a habit of taking up a fair bit of screen real estate, it would be beneficial if the COM class / plugin etc could inject a stream of text into the local (visible only to the player).
CCPEVE.displayLocalMessage("You have received a forum reply from " + post.fromUserName, EVE.Colors.IMPORTANT);
3. Block looks very useful. I am wondering if this would open up the possibility of shared blocked lists? Personally I'd be looking for a one-click mechanism to update my block list with a known list of Jita scammers / spam bots.
4. Invocation of additional events such as onCombatLog, onLocationChanged. I would personally love to have the combat log parsed in real time and graphed to show how much damage I am putting out, who is putting the most damage on me etc.
5. Break the IGB out of the custom rendering and let it be opened up as a separate window so it can be dragged onto another screen. Let multiple windows be opened at once each connected to the same client and provide a way via the CCPEVE plugin to communicate between them without reliant on heavy ajax polling or COMET.
6. How is this data signed to ensure that the headers are valid? Clients have to trust the website but what level of trust should the website put in the client data?
7. A method of opening the skill training list with a list of skills filled in for it, to provide functionality similar to an 'import training queue'. Also add options to poll the current skill queue.
8. Temporary API key access, to allow a trusted website to receive an access token for the player which is valid only for the duration of their current login session, or until they force the IGB to relinquish it, whichever comes sooner. This could potentially include a mechanism for bypassing the call limit while running inside of the IGB as many services would desire immediate updates.
Anyway, that's just a few things off the top of my head.
|
Somerset Mahm
Somer's Omnibus Exploration and Reclamation
Cognitive Distortion
|
Posted - 2011.03.31 16:05:00 -
[21]
Quote:
3) Any chance we could also get an unique per-account id (not the username) in the headers?
It is great to hear that work is still being done on the IGB, it is a very useful tool.
Not good for people that don't want their characters linked.
---
SOMER Lotteries
SOMER Blink - new!
SOMER Escrow Services |
Not T'amber
|
Posted - 2011.03.31 16:23:00 -
[22]
So many oppurtunities for win its making my brain hurt.
|
Sentient Blade
|
Posted - 2011.03.31 16:30:00 -
[23]
Originally by: Somerset Mahm
Quote:
3) Any chance we could also get an unique per-account id (not the username) in the headers?
It is great to hear that work is still being done on the IGB, it is a very useful tool.
Not good for people that don't want their characters linked.
Websites do not exist within the realm of the EvE rules in terms of identity etc. A website owner has the right to deny you as a person access, and if that means banning your entire ID that's just tough.
Also, I'm tired. I think I originally tried to send this message as a report :S my bad. Sorry.
|
Patient 2428190
DEGRREE'Fo'FREE Internet Business School
|
Posted - 2011.03.31 16:31:00 -
[24]
Originally by: CCP Orion
Originally by: andeira
So if I understand this correctly I can make a website and get some idiot to accept it as a trusted site and then I can make this site contract all his **** to me trough javascript?
If I can do this I will love you forever
Well, sorry to disappoint you, but no . The IGB is only a substite/enhancement to the current menu system. The createContract function for example only opens the contract dialog with the specified items and type pre-selected.
Would it be possible to have the createContract to include all possible items?
I can just see the Jita spamming saying "Trust my website, click 5 buttons and win a 1 billion ISK!"
...Then when you stopped to think about it. All you really said was Lalala. |
Galen Kamari
Gallente
Pelican.
Violent Entity
|
Posted - 2011.03.31 16:33:00 -
[25]
Originally by: Sentient Blade
6. How is this data signed to ensure that the headers are valid?
It's not.
Quote:
Clients have to trust the website but what level of trust should the website put in the client data?
None at all. If you want access control, you need another system. The headers should be assumed to be forged.
This question came up in the third Dev Track session, I believe. At least for now, there's no intention of having authentication built-in.
Quote:
8. Temporary API key access, to allow a trusted website to receive an access token for the player which is valid only for the duration of their current login session, or until they force the IGB to relinquish it, whichever comes sooner.
I mentioned this above. One of the new API key system features will be the ability to set a time limit on the validity of the key. For example, this means that you could give a key to your CEO when joining a corp. for the usual initial checks, but it would only last for a day (or whatever you want) so that they don't have permanent access to character data (unless you choose to give it) without having to reset a full or limited key for all uses.
|
Catari Taga
Centre Of Attention
Middle of Nowhere
|
Posted - 2011.03.31 16:42:00 -
[26]
Edited by: Catari Taga on 31/03/2011 16:42:30
Originally by: Arkady Sadik
Thank you!
It would be really nifty (for automated address book updates) to have a javascript function that adds a contact fully, with tags etc. So something like
CCPEVE.addContact(12345678, +10, ['Diplomat']);
Yeah, I already asked for this in the tech labs thread, please do this, and ideally allow passing an array of contacts to that function.
(PS: this is not providing functionality that's missing in the client, this is just working around the horrible client UI)
--
|
Krennel Darius
Caldari
Nova Security Systems
The Laughing Men
|
Posted - 2011.03.31 17:10:00 -
[27]
Can we watch videos on it now?
_________________________________________________
If at first you don't succeed, you're not Chuck Norris |
mkmin
|
Posted - 2011.03.31 17:10:00 -
[28]
Does anybody else smell "extremely dangerous"? There is no mention of the headers requiring "trusted" status. I don't trust very many sites at all, but if they can slip in some code that takes all your stuff I won't be trusting any sites ever again.
Sounds like it might be time to add CCPBrowser.exe to blacklisted software. :S
|
Two step
Aperture Harmonics
K162
|
Posted - 2011.03.31 17:19:00 -
[29]
Originally by: mkmin
Does anybody else smell "extremely dangerous"? There is no mention of the headers requiring "trusted" status. I don't trust very many sites at all, but if they can slip in some code that takes all your stuff I won't be trusting any sites ever again.
Sounds like it might be time to add CCPBrowser.exe to blacklisted software. :S
*all* IGB specific headers require trust, I don't see why these would be any different.
Two step for CSM6 - http://twostep4csm.blogspot.com/ |
Somerset Mahm
Somer's Omnibus Exploration and Reclamation
Cognitive Distortion
|
Posted - 2011.03.31 17:23:00 -
[30]
Originally by: Sentient Blade
Originally by: Somerset Mahm
Quote:
3) Any chance we could also get an unique per-account id (not the username) in the headers?
It is great to hear that work is still being done on the IGB, it is a very useful tool.
Not good for people that don't want their characters linked.
Websites do not exist within the realm of the EvE rules in terms of identity etc. A website owner has the right to deny you as a person access, and if that means banning your entire ID that's just tough.
Oh, I wouldn't mind it at all as a website operator. But people that use a site with an alt that the website operator can now link to their main because both characters have the same account ID will scream. That's the angle I was looking at it from.
---
SOMER Lotteries
SOMER Blink - new!
SOMER Escrow Services |
mkmin
|
Posted - 2011.03.31 17:40:00 -
[31]
Originally by: Two step
Originally by: mkmin
Does anybody else smell "extremely dangerous"? There is no mention of the headers requiring "trusted" status. I don't trust very many sites at all, but if they can slip in some code that takes all your stuff I won't be trusting any sites ever again.
Sounds like it might be time to add CCPBrowser.exe to blacklisted software. :S
*all* IGB specific headers require trust, I don't see why these would be any different.
I dunno... with the abysmal record CCP has with privacy, I see these things being very very dangerous.
CCP, how about you add different levels of trust to the browser? Or a way for the user to tell exactly what information you are helping the site owner to steal.
|
Ariane VoxDei
|
Posted - 2011.03.31 17:43:00 -
[32]
Looks like, once again, new stuff is wide open to datamining.
One thing stands out though. "(new) showContents(stationID, itemID)"
Once you accumulate all your containerIDs, with matching stationID, then this stuff can be used to track your inventory.
Provided you do a bit of work to get a copy of the response and run a "adequate" set of scripts on it.
It might not yet rival inventory mods for some other games, but it is a start.
Oh and...
onmouseover
ccp.setdestination(rancer)
ccp.invitetofleet(gankalot)
and hope the autopilot is on...
And have the webserver quietly pass on the tasty location and ship data in the headers...
ps: yes I know some of it requires "trusted".
|
|
CCP Orion
|
Posted - 2011.03.31 17:44:00 -
[33]
Originally by: Two step
Originally by: mkmin
Does anybody else smell "extremely dangerous"? There is no mention of the headers requiring "trusted" status. I don't trust very many sites at all, but if they can slip in some code that takes all your stuff I won't be trusting any sites ever again.
Sounds like it might be time to add CCPBrowser.exe to blacklisted software. :S
*all* IGB specific headers require trust, I don't see why these would be any different.
All IGB headers require trust indeed.
|
|
Galen Kamari
Gallente
Pelican.
Violent Entity
|
Posted - 2011.03.31 17:45:00 -
[34]
Originally by: Somerset Mahm
But people that use a site with an alt that the website operator can now link to their main because both characters have the same account ID will scream. That's the angle I was looking at it from.
Seems to me that CCP's looking to separate characters so that they can't be associated on the same account unless the account holder wants them to be: API keys will be generated on a per-character basis, not per-account. Read the dev blog on the subject: Power to the End User - Customizable Access API Keys.
|
mkmin
|
Posted - 2011.03.31 17:58:00 -
[35]
Edited by: mkmin on 31/03/2011 17:59:54
Originally by: Galen Kamari
Edited by: Galen Kamari on 31/03/2011 17:50:12
Originally by: Somerset Mahm
But people that use a site with an alt that the website operator can now link to their main because both characters have the same account ID will scream. That's the angle I was looking at it from.
Seems to me that CCP's looking to separate characters so that they can't be associated on the same account unless the account holder wants them to be: API keys will be generated on a per-character basis, not per-account. Read the dev blog on the subject: Power to the End User - Customizable Access API Keys.
And from reading some of these comments: seriously some of you are too paranoid for your own good. Keep in mind that nothing can become automated through these features. A site author can't make your client do things without your consent. These are just to add convenience and enhance the UI, the intention of third-party development and the IGB. Lighten up!
EVE is all about paranoia and bad programming. If something can be used to steal, scam, or whatever it will be, even if other software companies would consider it a malicious exploit (CCP seems to like malicious exploits and calls them "features".) The real concern is that really quiet guy that never talks, who programs the alliance webpage... What's he going to slip in? Increased exposure means it's time to remove every page I've got from my trusted list, because with no "how much trust?" option we're required to trust the site programmer completely as a person. A person who wants all your stuff and is willing to lie cheat and steal to get it. edit: and that's assuming CCP got the trust system down right to begin with and there aren't any easily exploitable workarounds they CBA'd to fix.
|
Palovana
Caldari
Inner Fire Inc.
|
Posted - 2011.03.31 18:10:00 -
[36]
Edited by: Palovana on 31/03/2011 18:12:24
Originally by: mkmin
I dunno... with the abysmal record CCP has with privacy, I see these things being very very dangerous.
Originally by: mkmin
EVE is all about paranoia and bad programming. If something can be used to steal, scam, or whatever it will be, even if other software companies would consider it a malicious exploit (CCP seems to like malicious exploits and calls them "features".) The real concern is that really quiet guy that never talks, who programs the alliance webpage... What's he going to slip in? Increased exposure means it's time to remove every page I've got from my trusted list, because with no "how much trust?" option we're required to trust the site programmer completely as a person. A person who wants all your stuff and is willing to lie cheat and steal to get it. edit: and that's assuming CCP got the trust system down right to begin with and there aren't any easily exploitable workarounds they CBA'd to fix.
I think I'll just stick to alt-tab for browsing stuff while I play. Half of the web is b0rked with the IGB anyway (for wine users at least).
edit: more quotage
|
Particul
|
Posted - 2011.03.31 18:24:00 -
[37]
I have no idea what percentage of the player-base understood anything of that blog, except that it is probably a very small figure. Personally I shall avoid using the IGB wherever possible and put it on the shelf marked 'Dangerous' along with Evegate. If the majority of your players cannot understand a blog, you could
a) Preface it with a non-technobabble introduction and summary
b) Not write it at all
I spent twenty years as a programmer in industry and if this is meant to be a general help file it leaves an awful lot to be desired.
|
Catari Taga
Centre Of Attention
Middle of Nowhere
|
Posted - 2011.03.31 19:23:00 -
[38]
A lot of these new methods do not seem to be functional. Did not test them all but from those that I tested I could not get the following to work:
- addToMarketQuickBar(typeID) - this works but allows adding of non-tradeable types
- block(characterID)
- bookmark() - tested arguments: none, existing bookmarkID, locationID, itemID, x,y,z coordinates, etc., might be missing the correct sequence arguments here if it's functional
- clearAutopilot() - does nothing, also tested with solarSystemID for existing waypoint as argument
- showFitting() - shipDNA does not work as an argument anymore, example lists a fittingID which I did not test - please bring shipDNA functionaliy back, thx
- showOnMap(corporationID) - this opens the map if it's not yet open but does not display any specific location
- showSovereignity() - tested arguments: none,solarSystemID,regionID,allianceID
--
|
Shandir
Minmatar
Brutor Tribe
|
Posted - 2011.03.31 19:54:00 -
[39]
Certainly this opens up some new scamming opportunities and some additional (in-game) security concerns, but from the sounds of it, there isn't anything which is going to "steal all your stuff" unless you have a habit of clicking contract/give money dialogs you haven't read.
I would say that it would be nice to allow disabling of certain features (like those that probably don't have a confirmation - eg autopilot destination) but actually, I'd just untrust any trusted site that screwed around with them.
Somer's gonna love these - easier for her addicts to throw more money at her (and less people sending ISK to the wrong Somer corp)
-
|
Megarom
|
Posted - 2011.03.31 21:40:00 -
[40]
What I'd like to be able to do is drag all the dragable(to chat window) IGB forum text inputs so I could post fits or locations or people to my web site.
Also related to this but not to IGB, I'd love it if the fits pasted to a chat channel would somehow hold the fit information when I read the chat log later. |
Black Romero
|
Posted - 2011.03.31 22:43:00 -
[41]
Originally by: mkmin
Edited by: mkmin on 31/03/2011 17:59:54
Originally by: Galen Kamari
Edited by: Galen Kamari on 31/03/2011 17:50:12
Originally by: Somerset Mahm
But people that use a site with an alt that the website operator can now link to their main because both characters have the same account ID will scream. That's the angle I was looking at it from.
Seems to me that CCP's looking to separate characters so that they can't be associated on the same account unless the account holder wants them to be: API keys will be generated on a per-character basis, not per-account. Read the dev blog on the subject: Power to the End User - Customizable Access API Keys.
And from reading some of these comments: seriously some of you are too paranoid for your own good. Keep in mind that nothing can become automated through these features. A site author can't make your client do things without your consent. These are just to add convenience and enhance the UI, the intention of third-party development and the IGB. Lighten up!
EVE is all about paranoia and bad programming. If something can be used to steal, scam, or whatever it will be, even if other software companies would consider it a malicious exploit (CCP seems to like malicious exploits and calls them "features".) The real concern is that really quiet guy that never talks, who programs the alliance webpage... What's he going to slip in? Increased exposure means it's time to remove every page I've got from my trusted list, because with no "how much trust?" option we're required to trust the site programmer completely as a person. A person who wants all your stuff and is willing to lie cheat and steal to get it. edit: and that's assuming CCP got the trust system down right to begin with and there aren't any easily exploitable workarounds they CBA'd to fix.
YEAH - No offense CCP Orion and crew but after looking at all this I will be ALT- Tabin' it too. No more IGB for me. This is a FAIL idea. Alliances, corps beware!
|
Grady Eltoren
Minmatar
UNITED STATES ARMY
|
Posted - 2011.03.31 22:48:00 -
[42]
Originally by: Shandir
Certainly this opens up some new scamming opportunities and some additional (in-game) security concerns, but from the sounds of it, there isn't anything which is going to "steal all your stuff" unless you have a habit of clicking contract/give money dialogs you haven't read.
I would say that it would be nice to allow disabling of certain features (like those that probably don't have a confirmation - eg autopilot destination) but actually, I'd just untrust any trusted site that screwed around with them.
Somer's gonna love these - easier for her addicts to throw more money at her (and less people sending ISK to the wrong Somer corp)
See the problem here is you open a website and the give money box pops up and you are busy typing on your laptop and the send button goes off accidentally. You all know how laptops can skip fields etc. One slip of the enter key at the wrong moment....
Again - Another reason why I am leaving EVE - CCP building more tools to enable theft instead of building tools to help stop it. At least give people the ability to combat all the loop holes you are opening up!! Let players put a camera on top their pos to deter corp theft, audit logs for ship mtx arrays - something. Instead we get IGB with glaring loops holes to prey on the not so tech savy or accidental click. Shame on you. Why does CCP want theft to happen? Does it help your bottom line that much? Some "feature".
Grady
P.S. No you cannot have my stuff and leave the troll responses out please.
Aviation Professionals for EVE (APEVE)
|
Somerset Mahm
Somer's Omnibus Exploration and Reclamation
Cognitive Distortion
|
Posted - 2011.03.31 22:59:00 -
[43]
Quote:
Somer's gonna love these - easier for her addicts to throw more money at her (and less people sending ISK to the wrong Somer corp)
Actually I am not too bothered about the sending money in, but if we get corp versions of these it will make sending prizes out SO much faster.
---
SOMER Lotteries
SOMER Blink - new!
SOMER Escrow Services |
Sentient Blade
|
Posted - 2011.03.31 23:27:00 -
[44]
Originally by: Somerset Mahm
Quote:
Somer's gonna love these - easier for her addicts to throw more money at her (and less people sending ISK to the wrong Somer corp)
Actually I am not too bothered about the sending money in, but if we get corp versions of these it will make sending prizes out SO much faster.
Sounds more like a need for a "owner only" API key which can actually use POST requests to the API to make actual write actions. That's always how I've done it when I've been writing complex APIs.
|
|
CCP Laurelle
|
Posted - 2011.03.31 23:28:00 -
[45]
Edited by: CCP Laurelle on 31/03/2011 23:29:05
Originally by: Grady Eltoren
Originally by: Shandir
Certainly this opens up some new scamming opportunities and some additional (in-game) security concerns, but from the sounds of it, there isn't anything which is going to "steal all your stuff" unless you have a habit of clicking contract/give money dialogs you haven't read.
I would say that it would be nice to allow disabling of certain features (like those that probably don't have a confirmation - eg autopilot destination) but actually, I'd just untrust any trusted site that screwed around with them.
Somer's gonna love these - easier for her addicts to throw more money at her (and less people sending ISK to the wrong Somer corp)
See the problem here is you open a website and the give money box pops up and you are busy typing on your laptop and the send button goes off accidentally. You all know how laptops can skip fields etc. One slip of the enter key at the wrong moment....
Originally by: Ariane VoxDei
One thing stands out though. "(new) showContents(stationID, itemID)"
Once you accumulate all your containerIDs, with matching stationID, then this stuff can be used to track your inventory.
Provided you do a bit of work to get a copy of the response and run a "adequate" set of scripts on it..
Okay, looks like some misunderstandings need clearing up...
- There is no "give money" from the IGB yet. If we do add it later there will be a lot of effort put into making sure it's not griefable.
- All the new javascript functions require the website to be trusted which is something that the user explicitly selects.
- showContents simply opens up an in-game UI and doesn't pass any information over to the website
We would love to hear more about actual security issues that you guys spot and suggest you try it out on Singularity. Our aim is to add much-needed functionality that allows you to make IGB websites which augment the game experience but at the same time be careful about compromising user security or allow automation through the IGB.
|
|
Catari Taga
Centre Of Attention
Middle of Nowhere
|
Posted - 2011.04.01 00:25:00 -
[46]
Originally by: CCP Laurelle
or allow automation through the IGB.
As long as everything you can do via IGB requires user confirmation there will be no automation, only a way to use the client more efficiently than via the convoluted ingame UI.
Since the UI team isn't delivering anything useful all the more reason that you do. E.g. the sendMail() call is just perfect because you can enter all required information on the website already and the user only needs to click ok. Make the other calls the same please (contacts!).
--
|
Nauplius
Amarr
1st Praetorian Guard
|
Posted - 2011.04.01 02:23:00 -
[47]
A successful XSS attack (or outright hack) against a popular 3rd party API-using EVE website or a disgruntled corporation or alliance webadmin can do some interesting things with this new API ù
ù The inviteToFleet() / startConversation() functions can be used to spam arbitrary players; every IGB user who visits the compromised site can be made to open convos with the attacker's target(s). Convos are opened immediately upon invocation of the method in question; not so much as an "Are You Sure" or similar stands between the attacker and spam victim.
ù The removeContact() / removeCorpContact() functions operate silently and without confirmation provided the player had earlier checked "Don't Show Again" on that part of the Contacts UI. This can be used for pure griefing or perhaps, say, deleting Titan alts out of the contact lists of passing IGB users. I'm sure the more devious can think of better uses; I'm just a grunt in a lovable NRDS corp, after all.
ù Although the block() method is not working on the test server, presumably it too would operate silently as there is no confirmation UI present in the game when someone is blocked. This has great grief potential; an attacker can block arbitrary players from all the IGB users visiting the compromised site. Disrupt enemies' communications...silence business rivals...
ù The addBounty() function offers at least some of the risk associated with the proposed giveMoney() function. Since putting a bounty on someone is the same as giving them money thanks to alt-killing, one wonders why this function is even in the API? Everyone knows the bounty system in this game is useless.
Two additional more broad, theoretical points ù
ù Nothing in the requestTrust() dialog box indicates to the user that he is giving permission to the site to perform client-side, writable, side-effecting actions like those above and many others that have now been added to the API. I doubt that many IGB users know they are giving permission to perform these types of actions, as the web does not normally work that way.
ù This whole thing smells of bad security and bad web architecture, really. A dialog box that, once clicked, gives a site permission to perform all sorts of client-side writable, side-effecting actions? I mean, there's two things wrong with that ù
1. Dialog boxes that in effect say "Are you sure you want to do this terrible insecure thing (OK/Cancel)" are a discredited security model on the web and all modern browsers are moving away from such things. It is best to disallow insecure things entirely, and if there be no other alternative, at least scare the living !@#$ out of the user (see, for example Firefox's HTTPS warnings for sites with broken certs, or IE9's warnings for rarely downloaded files).
2. Regardless of whether you agree that step 1 adequately capture's user intent, you guys heard of hacking? XSS? Actually just script injection, nothing x-domain really needed for this API. You know that a lot of these EVE sites are just kids and college students and who knows what that, uh, these sites might not be the most bullet-proof sites in the world...
|
Catari Taga
Centre Of Attention
Middle of Nowhere
|
Posted - 2011.04.01 02:52:00 -
[48]
Edited by: Catari Taga on 01/04/2011 02:54:29
To all the fear mongers in this thread: absolutely nobody forces you to use the IGB or to trust websites.
The IGB has been castrated of functionality for much too long, take your paranoia elsewhere and let the rest of us get a useful IGB back. Again, this is a fully optional tool, if you do not want it, do not use it.
Thanks CCP for working on it!
--
|
mkmin
|
Posted - 2011.04.01 03:28:00 -
[49]
Originally by: Catari Taga
Edited by: Catari Taga on 01/04/2011 02:54:29
To all the fear mongers in this thread: absolutely nobody forces you to use the IGB or to trust websites.
The IGB has been castrated of functionality for much too long, take your paranoia elsewhere and let the rest of us get a useful IGB back. Again, this is a fully optional tool, if you do not want it, do not use it.
Thanks CCP for working on it!
Actually I would love extra functionality of the IGB. It's something I've wanted for quite a while. But we're back to the same issue of limited/full API. It's either agree to trust a site and every possible malicious thing they can think of in hopes you may get some functionality, or have an IGB that's really not worth using at all. (as it is I don't use the IGB unless I don't care about what I'm doing at the moment because of how 90's-ish it feels, and doesn't have the snappy response an oog browser has.) So please, give us levels of trust, just like the API. Those EVE players can be right bastards and our paranoia is 100% justified.
(BTW, it would be freakin' awesome if the CCP EVE sites were all optimized to work with the IGB, though that's kind of asking a lot considering they aren't optimized to run in an oog browser either.)
|
Derus Grobb
Minmatar
Selectus Pravus Lupus
Transmission Lost
|
Posted - 2011.04.01 05:01:00 -
[50]
I too want the middle mouse button to open a link in a new tab. It's standard in every browser now and would surely be appreciated by a lot of people.
---
|
Firesh
Etoilles Mortant Ltd.
Solyaris Chtonium
|
Posted - 2011.04.01 05:37:00 -
[51]
I sense an unusual amount of fear-mongery here ;)
What the heck are you doing using the IGB on a trusted website if you don't really trust it's security ?
We heavily use the API in order to get statistics and coordinate our market activities; any IGB extension would
be great for us in order to reduce carpal syndrom.
|
Tairon Usaro
The X-Trading Company
RAZOR Alliance
|
Posted - 2011.04.01 06:15:00 -
[52]
Quote:
Bear in mind though that our rule of thumb for IGB functionality is not to provide functions that cannot be performed manually in the game client itself.
How about bringing back functionality the IGB already had ?!? ......
HTTP_EVE_NEARESTLOCATION
I had a scanning tool using it, you broke it. now i am waiting to use it for a POS Tool.
________________________________________________
Some days i loose, some days the others win ... |
Batolemaeus
Caldari
Free-Space-Ranger
Morsus Mihi
|
Posted - 2011.04.01 06:49:00 -
[53]
Development of convo-loic is go. \o/
Thanks for the create convo thingy, it was the only thing required to turn the gm-endorsed convo-dos into a viable web application for alliance warfare.
|
Sentient Blade
|
Posted - 2011.04.01 11:24:00 -
[54]
The paranoia is coming from what appears to be the more technically skilled group of players, of which I include myself in... it's kinda what working in the industry does for you.
Personally I would like CCP to state clearly that it will not tolerate any kind of meta-gaming using privileged or authenticated resources. These are tied to the security of the account / client and should be strictly off limits.
If a person were to fall to an attack via the IGB that person should be suitably reimbursed and the logs examined to put the offending website on a blacklist so it cannot be accessed via the IGB again.
With such 'secret attacks' and such there really is no difference between manipulating the users client without their knowledge, and flat out adding an exploit to the browser renderer.
|
Thebriwan
LUX Uls Xystus
|
Posted - 2011.04.01 11:48:00 -
[55]
Hello!
When I first saw a new IGB Dev blog I was like: \o/
The new headers are very nice.
BUT: What in the seven hells are I going to do with the new functions?
Tho most things on the list can be achieved with a minimal number of clicks.
What I really want is to simplify things with massive click counts like producing, inventing or research.
A function like:
produceItem(<blueprintLocationId>,<stationOfProductionLineId>,<materialHangarId>,<productHangarArray>,<numberOfRuns>)
should open the production Dialog FILLED OUT - so that what takes like 5 to 10 clicks and an input of numbers could be minimalized to 2 simple clicks.
|
Ariane VoxDei
|
Posted - 2011.04.01 11:49:00 -
[56]
Originally by: CCP Laurelle
Originally by: Ariane VoxDei
One thing stands out though. "(new) showContents(stationID, itemID)"
Once you accumulate all your containerIDs, with matching stationID, then this stuff can be used to track your inventory.
Provided you do a bit of work to get a copy of the response and run a "adequate" set of scripts on it..
Okay, looks like some misunderstandings need clearing up...
- All the new javascript functions require the website to be trusted which is something that the user explicitly selects.
- showContents simply opens up an in-game UI and doesn't pass any information over to the website
Dear Laurelle, I think you have misunderstood my view of that particular call, as well as not adressing what appears to be a misinterpretation, on my part, of its actions, based on a lack of documentation of its behaviour.
I do not see it as a snoop vector.
I did however envision it as showing you, in the IGB, the contents of the container, very much like the "view contents" context menu in the Assets window.
Now, it that were the case, e.g. getting a inventory list in a table in the IGB, you could then, for you own purposes, sc**** that info into a DB, and thus, eventually, get a complete inventory list that is updated each time you use a specially crafted webpage.
It is "merely" a matter of snooping on the connection of the IGB - or making a copy&paste from the page.
That could, with some work, be funnelled into a local DB (lets say mysql) that keeps track of your assets for you.
Unfortunately, you just told me that it does not view the contents in the IGB, it instead opens a ingame window. Something which I find a lot less useful, but I suppose someone must have had a use for it.
|
Cheapo Hobo
|
Posted - 2011.04.01 12:08:00 -
[57]
The so-called blog was absolute poppy talk to me. I ain't no browser programmer and I wouldn't code my way out of a cow's barn even if my flashlight was on.
|
mkmin
|
Posted - 2011.04.01 16:18:00 -
[58]
Originally by: Cheapo Hobo
The so-called blog was absolute poppy talk to me. I ain't no browser programmer and I wouldn't code my way out of a cow's barn even if my flashlight was on.
Then maybe you should try not talking.
|
Abinadi9
NerdHerd
|
Posted - 2011.04.01 17:05:00 -
[59]
Edited by: Abinadi9 on 01/04/2011 17:06:07
CCP (whomever),
How hard would it be to add, before these changes are released, EVE_FLEETID (and maybe EVE_FLEETBOSS as a boolean) as an HTTP header? EVE_FLEETID would consist of nothing more than the internal ID number for the fleet you were in and NO OTHER specifics like membership count, description, etc. This is of course assuming that fleets are assigned some kind of unique identifier.
As far as "nearest celestial to the http header" feature, this would be VERY nice however, givemoney, IMHO, would be pretty dangerous. The more information you can give to a trusted website about actual current game play, the better, I believe. Not assets or stuff like that, but system, near here or there, ship type, etc.
The new HTTP headers are a very good step in the right direction.
Thank you! |
|
CCP Orion
|
Posted - 2011.04.01 17:53:00 -
[60]
Thanks for all the feedback, good stuff, contradicting perhaps but all good :)
The goal of exposing you guys to these changes on SISI is to figure out a meaningful set of features without exposing players to grief and "electronic warfare". The build currently on SISI is a first stab at that, we'll iterate on that the next weeks, and keep you posted on progress.
Cheers.
|
|
Abinadi9
NerdHerd
|
Posted - 2011.04.01 18:08:00 -
[61]
Originally by: CCP Orion
The goal of exposing you guys to these changes on SISI is to figure out a meaningful set of features without exposing players to grief and "electronic warfare".
Is there a road map beyond the current feature set on SISI for future features of the IGB? If so, would it be possible to get an idea of what CCP would like to do with it long term?
Maybe this already exists and I haven't searched long enough...
|
Salpun
Gallente
Paramount Commerce
|
Posted - 2011.04.01 18:25:00 -
[62]
A dev blog of IGB tools all ready made and where to find them/ how to use them would be helpful, maybe add a forum header about them in the new forums. A specific api authorisation for the IGB would also be nice.
|
Abinadi9
NerdHerd
|
Posted - 2011.04.01 18:52:00 -
[63]
Originally by: Salpun
A dev blog of IGB tools all ready made and where to find them/ how to use them would be helpful, maybe add a forum header about them in the new forums. A specific api authorisation for the IGB would also be nice.
There is a website, on the wiki that is pretty good for current development needs.
I think the IGB is a pretty good browser overall, but honestly I'd like to see things like "we do or do not plan on enabled plugins" in the future, here are a lot of the ideas we're considering, future javascript methods we're working on, etc. Once they hit SISI, it's cool and all but developers like to know where things are going so they can plan and think.
|
Salpun
Gallente
Paramount Commerce
|
Posted - 2011.04.01 19:01:00 -
[64]
Thanks for the link. The masses will need pictures though before they will understand how helpful the IGB can be.
|
Ariane VoxDei
|
Posted - 2011.04.01 21:45:00 -
[65]
Originally by: Salpun
Thanks for the link. The masses will need pictures though before they will understand how helpful the IGB can be.
Regarding security, something similar seems to be true.
"Yes yes, I trust your site, now, here, trust my fake headers... how can you refuse, I logged them from the users at my 'trusted' site."
Unless there is no access without a login - not merely based on having the right characterID or corpID in the header.
All too many think that headers = honest IGB = can be trusted.
While anyone with even rudimentary knowledge of the workings of HTTP requests knows that is it trivial to tamper with. Don't need any shady hacks.
With just a little slight of hand, you are always, if someone believes the headers:
in a titan
in system:jita
in region:insmother
in constellation:okkelen
in corp:goonwaffe
role:ceo/all
in alliance:IT
and you are:ricdic.
Of course all patently false and contradictory.
It's not that we are against functionality, but security has to come with it.
Also this sort of thing leaks too much information.
The API guys have realized this and are working on breaking down API access to custom keys, giving access to just those bits that you decide.
Going this way of "all or nothing" will just end in a lack of features or lack of adoptation, as people, and rightly so, refuse to use it.
|
Abramul
Gallente
StarFleet Enterprises
-Mostly Harmless-
|
Posted - 2011.04.01 23:37:00 -
[66]
Edited by: Abramul on 01/04/2011 23:37:39
Echoing one of the points several people have made, and adding a couple of my own:
1: It's essential that the user be able to control, site by site and browser-wide, exactly what functions can be used. Additionally, all actions beyond showinfo and such should pop a confirmation request, with the option to autoaccept that type of request for only the site you're on.
2: Sites need the option to verify at least character ID. Again, you'll want a confirmation request to the effect of "Yes, it's OK for CCP to confirm that I am, in fact, character X. I understand that this may allow the requesting site to connect my IP with my character." I have in my time playing seen only one application that used trusted-site functionality to verify user ID; the CVA KOS checker, which might as well have been public anyway. (API, on the other hand, is all over, and still isn't actual verification)
3: All actions initiated by trusted sites should cause audio notifications and log entries. Should range from a full "Autopilot route changed" to a beep for stuff like contact changes.
I would also recommend offering an ISK prize for successful (private) demonstrations of attacks using these features, even if you're confident they're impossible.
(P.S. Any chance of allowing the IGB to download files, even if only from Eveonline.com?)
|
Batolemaeus
Caldari
Free-Space-Ranger
Morsus Mihi
|
Posted - 2011.04.02 00:00:00 -
[67]
Originally by: CCP Orion
Thanks for all the feedback, good stuff, contradicting perhaps but all good :)
The goal of exposing you guys to these changes on SISI is to figure out a meaningful set of features without exposing players to grief and "electronic warfare". The build currently on SISI is a first stab at that, we'll iterate on that the next weeks, and keep you posted on progress.
Cheers.
Does that mean you'll prevent automated convo spam ddos by limiting the igb functionality? Current GM ruling is that this is a game feature, and I'd be very sad to see it get limited. (I'd rather see the GMs responsible for this idiocy replaced with competent people instead of an actual developer nerfing functionality to partly compensate for the morons in the GM department who encourage people to abuse client flaws that would need to be fixed by someone else entirely..)
|
Nooo Waaaay
|
Posted - 2011.04.03 15:18:00 -
[68]
Where can I get those fittingID data?
|
Dorn Val
|
Posted - 2011.04.05 06:21:00 -
[69]
I'd like to see bigger buttons in the upper left hand corner so I can minimize the IGB without accidentally closing it -or is that how CCP griefs players :)
Also it would be cool to see Adobe Flash Player support -I think that's what You Tube uses. Very common to be on fleet ops and a corp mate will drop a video link into chat that he wants peeps to watch and I have to leave the game to see it.
|
| |
|
| Pages: 1 2 3 :: [one page] |