How to get around mBlock IDE's sandbox? (location.href & location.pathname)

Best_codes · 2023-12-16 14:51:31 UTC

mBlock block’s codes are run in a sandboxed environment (on a “VM”, or Virtual Machine in the browser), so block’s functionality is limited. Otherwise, people could easily make malicious extensions that interacted with mBlock’s data or your account data in potentially harmful ways.

See

https://builtin.com/software-engineering-perspectives/sandbox-environment
and
https://www.proofpoint.com/us/threat-reference/sandbox

@KakiIn

So to answer your question, some scripts cannot execute without mBlock’s permission (you could try to contact mBlock and have them make an exception for you).

KakiIn · 2023-12-16 15:04:12 UTC

Yes, I have seen that (even before you, read the discussion again)

BUT there is a “User name” block in the Captors block, so those datas must be available somewhere, must not they?

Best_codes · 2023-12-16 15:05:08 UTC

Where are these blocks? I have never seen a username block in mBlock.

@KakiIn

KakiIn · 2023-12-16 15:17:02 UTC

You’re right, there is not any… Maybe I am confusing with Scratch so

Seems more logic now

But it is a huge problem for my extension, because everyone have to choose a different lounge name, and if someone know one of them, it can easily “hack” to scripts for all users

Best_codes · 2023-12-16 15:18:57 UTC

@KakiIn Yeah, you can do unsandboxed JavaScript in TurboWarp, a scratch mod similar to mBlock but without devices. It has many JavaScript extensions:

https://turbowarp.org/
https://turbowarp.org/editor
https://extensions.turbowarp.org/

KakiIn · 2023-12-16 15:22:23 UTC

WOW never seen that! But if I understand, I will have to move from mBlock to turbowarp

And so I will also have to remove the extension from mBlock (for security reason, because if it can work better, I won’t make problems for mBlocks users)

Or you said I can ask to the staff?

Best_codes · 2023-12-16 15:25:01 UTC

@KakiIn Yes, if you want to use JS blocks, TurboWarp is probably the best option. TurboWarp doesn’t support devices, which is about its only drawback. That’s when mBlock is very helpful, to code mBots or Arduinos or something.

Yes, you can contact mBlock via email
support@makeblock.com
but I don’t know if their tech support is very involved in extension building stuff. You can always try!