Add COSTUME FROM URL and SOUND FROM URL blocks #3505
Conversation
This is to avoid an error in the console when the user stops the block before it's finished loading the costume/sound.
|
I found out that the way I was doing it before would make all external costumes be tainted, which isn't ideal, so it really is best to handle cors. It also now reports an svg costume if the external resource is an svg image. |
|
thanks, this is super nice! Please be patient with me as it might take me a couple of weeks until this gets pulled, but I promise it will be :) |
| cst: null, | ||
| svg: false, | ||
| }; | ||
| context.accumulator.img.onload = function () { |
There was a problem hiding this comment.
This still has a potential to load an image that's tainted, does it not?
I think, though I forget where I last landed on this is that if you fetch the file regardless, then convert it to an object URL we will not taint the image.
There was a problem hiding this comment.
The only way that I can think of it being tainted, is if the svg contains a link pointing to an external resource. The code here is already doing a fetch and converting it to an object url, so the resulting image should only contain the image data, not the source.
3 participants
This pull request adds two new blocks to the Web services access (https) library to load costumes and sounds from a url. This also adds the
snd_load(url)extension function, which is used by the SOUND FROM URL block.Some notes:
cst_load(url)doesn't handle svg images, so if a user enters a url to an svg, it will will return it as a bitmap costume. I think I know how to do this, but the way I'm thinking will depend on what we do for the next point.Semi-related: I noticed that when trying to drag a costume from a report bubble with a name of
null(the default name), it throws an error in the console.