I’ve been reading through the unity documentation for executing functions in a game from the browser using javascript, and I’m concerned about players or malicious individuals exploiting the ability to call functions using the browser to change game state or to run malicious code. An potentially dangerous example could be if a hacker puts a comment on a site that allows an XSS attack (i.e. run javascript) to execute some code to cause further damage by running a command in the game or to even screw up someone’s game state. A player could also cheat using this sort of exploit by running javascript manually through their browser using a firefox plugin. Anyone with the right knowledge about unity 3d or the insight to read the javascript you use to call certain functions in your site’s javascript could do some damage, unless there is someway to control untrusted data from the browser (which should essentially be considered untrusted by default). Is there some way to set an allowed list of functions that the browser can call (so I can make sure to scrub input from the browser etc, control things in a secure way) or only allow methods in a class that derive from some data structure to be called from the browser? I think the javascript integration is incredibly powerful and useful, but I need some way to control it from a security aspect… Is there any documentation I’ve missed?
Thank you in advance.