Egregoros

Signal feed

API Docs
Timeline

Post

Remote status

Context

7
Wanderer atop the sea of clouds or whatever

Wanderer atop the sea of clouds or whatever

@WandererUber@poa.st remote
Open link
Another update: Yes, it was web security!
Google AI says it has to do with the strict origin policy. I was on the path of checking this anyhow because the old install instructions had a line about chrome/chromium requiring a special flag.

If you run
chrome.exe --allow-file-access-from-files
you can open the old version just fine and the bestiary loads. If you don't have this flag, the tables stay empty.

For firefox you apparently need to set some stuff in about:config but I'm too lazy to test that.

I will now angrily shake my fist at the heavens for Silicon Valley has once again ruined my favorite software

RT: https://poa.st/objects/87bc514a-b5a0-440e-aca2-ef773d83463a
Wanderer atop the sea of clouds or whatever

Wanderer atop the sea of clouds or whatever

@WandererUber@poa.st remote
Open link
@sickburnbro I'm not a security expert and I thought the same but when I rotate the problem in my head I immediately start thinking about symlinks, relative paths or the simple fact that an attacker might just tell you to drop the "helpful script" straight into ~/ or C:\Users\USERNAME

I imagine this might be a bit more complex. But it is a shame, yes. This change means simple html sites simply won't work locally anymore and I reckon there were a couple other neat usecases apart from tabletop rpg piracy lol
Wanderer atop the sea of clouds or whatever

Wanderer atop the sea of clouds or whatever

@WandererUber@poa.st remote
Open link
@hazlin @sickburnbro thanks old bean, yes they have this as an alt option

I looped back around to sbb's opinion on it though. because the fix to "this script can exfiltrate data when you are allowed to run it" is "run a python command" which of course by default ALSO has access to all user-readable files and can exfiltrate them to the web...

what are we doing here, computerbros. Thought ourselves into a hole again, haven't we?
Replying to @WandererUber@poa.st

Replies

3
Replying to @hazlin@shortstacksran.ch
Wanderer atop the sea of clouds or whatever

Wanderer atop the sea of clouds or whatever

@WandererUber@poa.st remote
Open link
@hazlin @sickburnbro whoops I guess I kinda lost you. I posted the reasoning for why 5etools doesn't work locally in another reply to my OP. The browsers blocked this behavior
The reason is that if you can read file:// from file:// then a malicious script could exfil anything on your drive. that's what I was referring to because sbb made a good point that this is kinda pointless and you can just as well sandbox it to it's directory. Which running npm serve or the python thingy does btw.
Replying to @WandererUber@poa.st
Replying to @hazlin@shortstacksran.ch
Wanderer atop the sea of clouds or whatever

Wanderer atop the sea of clouds or whatever

@WandererUber@poa.st remote
Open link
@hazlin @sickburnbro yeah I guess so. I was hoping I could avoid serving in a web server for portability reasons. My assumption was that this was a change the 5etools devs made for their own development convenience or "new shiny" or something like this. But it turns out it's literally not possible to do it like they had it before, and have modern browsers open the page.

I'll have to do it with the python thing I guess. Idk yet. My idea was actually to clone 5etools for another system but it's now 2 hours later and I haven't even started lol