Both Turbowarp and forkphorus can access scratch projects that are not shared. I don't know why, but it looks like an API / authorization bug in Scratch that enables them to access these projects.

Below is an example project that is not shared on scratch but shows up on both of these sites:
https://turbowarp.org/#413702673
https://forkphorus.github.io/#413702673

Doesn't this violate some scratch promise that projects will not be publicly visible unless they are explicitly shared?

They also can access old/archived projects that are no longer available on scratch which also feels like it is wrong.
https://turbowarp.org/#1
https://forkphorus.github.io/#1

This is due to a Scratch API bug as per the forksphorus team:

https://github.com/forkphorus/forkphorus/issues/311

I didn't know about it…so it is not as common as you may believe it is.

It is also a violation of scratch's promise to kids about their privacy.

Dhananjaya wrote:

It is also a violation of scratch's policy to kids about their privacy.

Could you please specify what in specific it's violating?

You mean that projects that are “not shared” are available to everyone in the world?

Dhananjaya wrote:

You mean that projects that are “not shared” are available to everyone in the world?

No, I'm asking what rules this is violating, could you please copy and paste them here.

I don't know if there is an explicitly mentioned rule…it certainly is implied.

The only instance where unshared projects are supposed to be visible (as mentioned anywhere in the scratch wiki) is to the scratch team. There is no mention that unshared projects are available to the world at large.

There certainly is an implication of what “Shared” and “unshared” mean as per the common dictionary.

Anything you make online is public. Even if it's not shared. If you don't want it to be public, make it offline or not at all. Scratch Team even made a website to do this. (That is public.)

Are you on the scratch team to be making policy statements on behalf of scratch!?

Dhananjaya wrote:

Are you on the scratch team to be making policy statements on behalf of scratch!?

They are simply relaying information from the ST, as most mods are offline right now.

What is the “ST”?

Dhananjaya wrote:

What is the “ST”?

Scratch Team

Dhananjaya wrote:

What is the “ST”?

ST=Scratch Team

Dhananjaya wrote:

I didn't know about it…so it is not as common as you may believe it is.

It is also a violation of scratch's promise to kids about their privacy.

From what I know people basically use turbowarp to share unshared projects for beta testing. It's pretty common knowledge that scratch projects can be accessed via the api. I also don't see the problem here, as long as a user doesn't have the Project ID they can't view it.

LukeManiaStudios wrote:

Dhananjaya wrote:

I didn't know about it…so it is not as common as you may believe it is.

It is also a violation of scratch's promise to kids about their privacy.

From what I know people basically use turbowarp to share unshared projects for beta testing. It's pretty common knowledge that scratch projects can be accessed via the api. I also don't see the problem here, as long as a user doesn't have the Project ID they can't view it.

In my opinion, it is the owner's responsibility to keep their unshared projects' links private so that the risk of another Scratcher viewing it is minimized. Being able to view unshared projects on platforms such as Turbowarp can actually be very helpful in situations where feedback is wanted from specific people, but the owner isn't ready to publicly share the project yet.

However, I have to admit that people could potentially type in random project numbers into the URL, leading a significant chance of someone being able to access an unshared project, both appropriate and the opposite. It could potentially benefit the Community to do something about it, but there still is good in it.

I think it's cool because people in Help with Scripts can get help without sharing their project.

Scratch is open-source so you can basically access any data without signing in (there are exceptions) … this doesn’t break any rules as you can get the project JSON just using the API. and turbowarp basically does what Scratch wants us to do with the API ….. and you can’t access a project without the project iD (the number in the link of a project) … so to keep stuff private,

• Don’t share your project iD’s.
  Don’t love OR fave unshared projects.
  
  

If you can’t go without this, then use the offline editor.

Same with Phosphorus, which only works for .sb2 files. You can also download the project by going to https://projects.scratch.mit.edu/project-ID and adding a slash at the end of the above-mentioned URL leads to the contents of the project.json file of the unzipped folder (Scratch project files are technically .zip files with the extension changed).

Chirover wrote:

-snip-
Don’t share your project iD’s.
Don’t love OR fave unshared projects.
-snip-

Yes, I've noticed people that love or favourite unshared projects; either the original project owner unshares it later after or the project was never shared. A better solution would be to make a checkbox that allows or prevents others from viewing the project on external, third-party .sb(2/3) file renderers, while keeping that unchecked by default for a good user experience (but forced to be checked and unchecking disabled until the project is unshared again); however, that is better off on a new forum thread in Suggestions.

Dhananjaya wrote:

https://turbowarp.org/#1
https://forkphorus.github.io/#1

These are still technically on the Scratch database — they're not “no longer available on Scratch” (capitalization fixed).

I think this will go down similarly to another infamous website that let you see removed content: forums.scratchstats.com
But this time, it can be used to abuse.
Two people make one project each, and then they open the other's project in forkphorus or TurboWarp. In both of the projects, there is a cloud variable that encodes and decodes messages.
They can abuse this to private message.