Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 22 Jul 2012 08:15 PM |
When you enter a game, for every LocalScript, ScriptContext sends a request to a certain page to check if the Script is blacklisted. I believe the intention is to prevent Free Models Scripts with viruses from running. The problem is that exploiters can modify the responses from that page using a tool such as Fiddler to disable all LocalScripts from running, which is useful in preventing anti-exploiter Scripts from interfering.
Additionally, for some reason this page returns a false positive whenever a new Gear comes out. For the first couple of days calls to InsertService::LoadAsset will return the Model without any Scripts which would otherwise have been there.
Another reason to remove it is that it slows up the process of LocalScripts running, giving a few seconds delay. Since the LocalScript originates on the server, or is returned from a call to InsertService::LoadAsset, it would be simple for servers to load the entire list of blacklisted Scripts into their memory before they start, and then remove Scripts that match the hashes whenever they appear at any point in the game. |
|
|
| Report Abuse |
|
|
|
| 22 Jul 2012 08:16 PM |
> entire list of blacklisted scripts > requesting over 2 TB every time a new server is made
...I don't see how that'll work. |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 22 Jul 2012 08:16 PM |
| Note: the individual requests to that page do not take a few seconds. I was referring to when I opened my game in play solo and it made some 40 requests to that page. |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 22 Jul 2012 08:17 PM |
| I meant request a full list of the hashes of blacklisted Scripts. I didn't want to go into too much detail because obviously exploiters can abuse this. |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 22 Jul 2012 08:18 PM |
| And if the list of hashes is indeed excessive, then at least the server itself could make the requests, not the client. |
|
|
| Report Abuse |
|
|
|
| 22 Jul 2012 08:20 PM |
| InsertService isn't really that useful anymore, anyways. And the whole trusted model thing was a big blow-up. I say they should just remove both, or make it like before where InsertService would let you insert anything in public domain. |
|
|
| Report Abuse |
|
|
NotATrap
|
  |
| Joined: 08 Dec 2010 |
| Total Posts: 26 |
|
|
| 22 Jul 2012 08:29 PM |
Im sorry, but that won't exactly work. The entire point of LocalScripts is that the remote client executes the code, so the server would have to tell the client if the hash passes inspection of not anyways. Its currently: LocalScript created -> ScriptContext approves ->Client runs
While you would have it LocalScript created ->Game server sends http pacet ->Game server sends auth ->Client runs Which would only increase the load on the server, and even then, I'm not entirely sure LocalScripts' Source even IS replicated to the server. In either case, you could still man-in-the-middle either the ScriptContext http packet or the server's auth packet. |
|
|
| Report Abuse |
|
|
MrNicNac
|
  |
| Joined: 29 Aug 2008 |
| Total Posts: 26567 |
|
|
| 22 Jul 2012 08:37 PM |
| Just make your game and stop worrying about technical junk.... |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 22 Jul 2012 08:47 PM |
| I already made my game. I just hate when new Gear don't work for 2 days cause of some fail validation... |
|
|
| Report Abuse |
|
|
|
| 22 Jul 2012 09:25 PM |
@Techboy6601
The InsertService isn't useless at all.
I use it a lot. |
|
|
| Report Abuse |
|
|
xSIXx
|
  |
| Joined: 06 Aug 2010 |
| Total Posts: 9202 |
|
|
| 22 Jul 2012 09:29 PM |
why is roblox not promoting free model viruses?
seriously, this makes no sense. for a game based on creativity, there has to be a massive downside of using public domain scripts. |
|
|
| Report Abuse |
|
|
|
| 22 Jul 2012 09:39 PM |
| Because the second some clueless parent hears the word "virus"... |
|
|
| Report Abuse |
|
|
|
| 22 Jul 2012 09:44 PM |
| Why do we call them viruses? They should be called self-destructive punishment machines. Yeah, SDPMs. |
|
|
| Report Abuse |
|
|
|
| 22 Jul 2012 09:46 PM |
| You mean electric chairs duct-taped to suicide bombs? |
|
|
| Report Abuse |
|
|
| |
|
|
| 22 Jul 2012 09:58 PM |
| lol, he confused arceus :3 |
|
|
| Report Abuse |
|
|
agent767
|
  |
| Joined: 03 Nov 2008 |
| Total Posts: 4181 |
|
|
| 22 Jul 2012 09:58 PM |
| I would now say something that could be considered "unsave" for small children(that`s why we have wargroups/wargames) and just say meh. |
|
|
| Report Abuse |
|
|
|
| 22 Jul 2012 10:00 PM |
@arceus
Self ] Suicide Destructing ] Bomb Punishment ] Electric Machine ] Chair |
|
|
| Report Abuse |
|
|
|
| 22 Jul 2012 10:06 PM |
"Self ] Suicide Destructing ] Bomb Punishment ] Electric Machine ] Chair"
I don't know how you derived those words from SDPM, but I"m going to need to confiscate your brain for further testing. |
|
|
| Report Abuse |
|
|
agent767
|
  |
| Joined: 03 Nov 2008 |
| Total Posts: 4181 |
|
| |
|
| |
|
slayer219
|
  |
| Joined: 15 Nov 2008 |
| Total Posts: 3445 |
|
|
| 23 Jul 2012 04:11 AM |
| *how about we just let him go?* |
|
|
| Report Abuse |
|
|
|
| 23 Jul 2012 04:14 AM |
Im sorry, but that won't exactly work. The entire point of LocalScripts is that the remote client executes the code, so the server would have to tell the client if the hash passes inspection of not anyways. Its currently: LocalScript created -> ScriptContext approves ->Client runs
While you would have it LocalScript created ->Game server sends http pacet ->Game server sends auth ->Client runs Which would only increase the load on the server, and even then, I'm not entirely sure LocalScripts' Source even IS replicated to the server. In either case, you could still man-in-the-middle either the ScriptContext http packet or the server's auth packet.
|
|
|
| Report Abuse |
|
|
Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 23 Jul 2012 11:57 AM |
@tonykaree13
I'm 99% sure that LoadAsset actually occurs on the server, to prevent people from injecting arbitrary XML. So the call to the script validation page can occur then. It's not going to take any more time... |
|
|
| Report Abuse |
|
|
|
| 23 Jul 2012 11:59 AM |
@tonykaree13
Why do you re-post things posted by other people? |
|
|
| Report Abuse |
|
|