Implement warning message when opening .pdex or .pdez files

[SableRaf]

Currently, it is possible to open and run a .pdez or .pdex file downloaded from the web without any extra steps. It could be wise to add a warning when opening a bundled sketch/mode/tool/library to tell a user to only run third-party code if they trust the author (similar to VSCode's restricted mode).

Note: Unlike VSCode and its extensions, the PDE won't run arbitrary code just when you open a sketch so this is is not an apples to apples comparison, but since we made it easier to execute arbitrary code on a machine running the PDE, it might still be a good idea to add that extra layer of security.

Edit: this was initially mentioned here #559

[benfry]

This is a higher priority with 4.2, though the threat seems somewhat limited: if someone double-clicks a file they don't trust, will popping up a dialog box change anything?

When using pde:// links in the browser, the browser says, “are you sure?” so it seems like bad practice to ask users twice (unnecessary click-throughs cause users start tuning these things out).

But… we should implement regardless.

[SableRaf]

I was wondering if there there is a way we could have a "sandbox" or restricted mode for sketches opened this way. Like limiting access to the file system for example. This way the process would be seamless for most people and more advanced sketches would require an override (maybe via a popup that triggers only when running a sketch that does potentially risky stuff). Would it be doable? cc @sampottinger

[benfry]

Super complicated, unfortunately. Technically possible given Java's ability to set up sandboxing restrictions (i.e. back in the Applet days), but I'd rather the energy go elsewhere, like a proper browser-based, sandboxed development environment that works for other languages/platforms too.

[SableRaf]

the threat seems somewhat limited: if someone double-clicks a file they don't trust, will popping up a dialog box change anything?

With the pde:// scheme, we're bypassing the need to double-click a file. Since the process is so simple, it's easy for users to accidentally run a sketch without thinking about the potential risks. Considering the audience for the PDE is very much beginner oriented, I believe we need to implement a warning.

[SableRaf]

How about including a list of trusted domains? It could even be as simple as a config file. The user can manually add the domain to the list to bypass it so there is a bit of friction and it can't happen by accident. If the .pdez file comes from an untrusted domain, we give a big and obvious warning. Otherwise it's free to run.

Note: we could include processing.org in the default list (as long as we make sure the domain stays free of user generated content), this way all the sketches from the examples and reference pages will be trusted by default.