From 22470fcce5793e4b53069aed1abf608170ed19ff Mon Sep 17 00:00:00 2001 From: Muffin Date: Tue, 15 Oct 2024 00:34:43 -0500 Subject: [PATCH] Disable enforcePrivacy in packaged projects The threat model of enforcePrivacy is so that people can open up sb3 files in the editor and not worry about their webcam being streamed to an attacker if the project doesn't use any unsandboxed custom extensions. That threat model doesn't really make sense in the packager when we're generating HTML files. --- src/packager/packager.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/packager/packager.js b/src/packager/packager.js index 7b9db77a..606034da 100644 --- a/src/packager/packager.js +++ b/src/packager/packager.js @@ -1585,6 +1585,9 @@ cd "$(dirname "$0")" }); if (vm.renderer.setMaxTextureDimension) vm.renderer.setMaxTextureDimension(${this.options.maxTextureDimension}); + // enforcePrivacy threat model only makes sense in the editor + if (vm.runtime.setEnforcePrivacy) vm.runtime.setEnforcePrivacy(false); + if (typeof ScaffoldingAddons !== 'undefined') { ScaffoldingAddons.run(scaffolding, ${JSON.stringify(this.getAddonOptions())}); }