With Flash pretty much dead, there is currently no way we can upload games or other interactive content that doesn't have to be downloaded. While you still can download Flash animations and run them on the projector, that isn't very convenient, and is rather risky since one of the major reasons Flash was discontinued was security.

Being able to upload HTML files would fix that. I've looked through some other forum posts where admins briefly touched on the issue and raised issues like HTML games requiring multiple files; however, this isn't exactly true. Images, videos, and in fact all resources can be encoded into base64, while JS/CSS can both be directly put into the document. This does increase file size

There are, of course, inherent risks with running user-generated code. While some of them can be mitigated, there will always be ways to get around that for bad actors. However, E621 already has an approval system. If this were implemented, I would suggest requiring any HTML uploads to be approved before being shown to general users, and during approval for the document to be shown in plaintext first; requiring non-obfuscated js in <script> tags would make any attacks easy to see.

I don't know if this is currently possible, and a lot of thought would have to be put into restrictions on what exactly is allowed. However, this is currently the only viable option I see for interactive content.

There's already been a few threads on this, I believe the usual outcome is that the security risk and work to put it in place is too great for the small amount of relevant HTML5 content that exists.

Being able to upload HTML files would fix that.

It would also bust the door wide open for an attack on the servers of the site, and it won't matter if there's premoderation or not - the mere presence of such a file on the server can compromise it.

scth said:
There are, of course, inherent risks with running user-generated code. While some of them can be mitigated, there will always be ways to get around that for bad actors. However, E621 already has an approval system. If this were implemented, I would suggest requiring any HTML uploads to be approved before being shown to general users, and during approval for the document to be shown in plaintext first; requiring non-obfuscated js in <script> tags would make any attacks easy to see.

That would require janitors and admins to review the code of every upload of this kind.
I don't know how many of them have the technical ability to do so, but it's not a trivial task nonetheless.

darth_e621 said:
It would also bust the door wide open for an attack on the servers of the site, and it won't matter if there's premoderation or not - the mere presence of such a file on the server can compromise it.

I would personally be more worried about shady uploads compromising the viewers' systems, not e621 servers.

Is there really no effective sandbox standard for embedded HTML in an iframe or whatever trendy tag is reinventing them this week?

Concerns about security ring a bit hollow to me when this site allowed Flash uploads for ten years.

wat8548 said:
Is there really no effective sandbox standard for embedded HTML in an iframe or whatever trendy tag is reinventing them this week?

Concerns about security ring a bit hollow to me when this site allowed Flash uploads for ten years.

There are methods, but they are blunt and cumbersome and involve purchasing a secondary domain and dealing with problems like browser storage quotas.

The benefit of Flash was that it was self contained and couldn't interact with the page above it.

Mostly this is about lack of standard, complexity and the scope of the problem being really large, in additional to the standard security concerns. It's a lot of work, there is no standard for embedding content or packaging it to ensure resources are accessible, and the ability to securely embed it is questionable, since browser support for the security feature isn't universal, and the ones that don't support it, fall back to insecure behavior.