Conversation

Notices

1. LS (lain@lain.com)'s status on Friday, 26-May-2023 17:37:20 JST LS
   I found out how the attack works, it indeed depends on mediaproxy, so if you don't use it you are safe.
   
   You are also safe if you add this code to your nginx.
   
   location ~ ^/(media|proxy) {
   add_header Content-Security-Policy "script-src 'none';";
   
   Updates and fixes incoming, but this will fix the issue right away. There is a certain aspect of social engineering here, it will not just attack you by seeing an image inside pleroma-fe.
   •  likes this.
   •  (mint@ryona.agency)'s status on Friday, 26-May-2023 17:38:24 JST 

     in reply to
     @lain What about sandbox CSP? Does it have the same effect as script-src 'none'?
     https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
   • LS (lain@lain.com)'s status on Friday, 26-May-2023 17:41:27 JST LS

     in reply to

     • 
     @mint yes, i think so
      likes this.
   • LS (lain@lain.com)'s status on Friday, 26-May-2023 17:50:20 JST LS

     in reply to

     • 
     @mint tested it and it indeed fixes it
      likes this.
   • LS (lain@lain.com)'s status on Friday, 26-May-2023 17:53:22 JST LS

     in reply to

     • 御園はくい
     @hakui mediaproxy is literally killing people
      likes this.
   • 御園はくい (hakui@tuusin.misono-ya.info)'s status on Friday, 26-May-2023 17:53:23 JST 御園はくい

     in reply to
     @lain no mediaproxy keeps winning :smug1:
      repeated this.
   • LS (lain@lain.com)'s status on Friday, 26-May-2023 18:12:42 JST LS

     in reply to

     • 
     • 御shp :blobshp:
     @shpuld @mint it's not in the default, i think you might have it because we had this issue in /media, quick-fixed it via nginx, then also added the fix to pleroma directly, but not fixing it for /proxy because that probably didn't exist yet.
      likes this.
   • 御shp :blobshp: (shpuld@shpposter.club)'s status on Friday, 26-May-2023 18:12:43 JST 御shp :blobshp:

     in reply to

     • 
     @lain @mint I thought that was in default nginx configs already, it was in mine t least. wonder how it got left out by poast
   • pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Friday, 26-May-2023 18:26:07 JST pomstan

     in reply to

     • 
     • verified neko :verified::verified::verified::makemeneko:
     • :apa: スプリットショックウイルス †
     • † top dog :pedomustdie:

     @roboneko @dcc @lain @splitshockvirus @mint the only thing you can recover from that is probably just my ip which you can use for uh… telling my employer that I’m following straight shota bot, in which case you will probably get replied with “based”

      likes this.
   • verified neko :verified::verified::verified::makemeneko: (roboneko@bae.st)'s status on Friday, 26-May-2023 18:26:08 JST verified neko :verified::verified::verified::makemeneko:

     in reply to

     • :apa: スプリットショックウイルス †
     • † top dog :pedomustdie:
     @splitshockvirus @dcc @lain @splitshockvirus to prevent remote instances from harvesting metadata on local users who are passively browsing. less leakage is nearly always better
   • :apa: スプリットショックウイルス † (splitshockvirus@mstdn.starnix.network)'s status on Friday, 26-May-2023 18:26:09 JST :apa: スプリットショックウイルス †

     in reply to

     • † top dog :pedomustdie:

     @dcc @lain so it would seem

   • † top dog :pedomustdie: (dcc@annihilation.social)'s status on Friday, 26-May-2023 18:26:09 JST † top dog :pedomustdie:

     in reply to

     • :apa: スプリットショックウイルス †
     @splitshockvirus @lain i still dont get why anyone would put that on
   • † top dog :pedomustdie: (dcc@annihilation.social)'s status on Friday, 26-May-2023 18:26:10 JST † top dog :pedomustdie:

     in reply to

     • :apa: スプリットショックウイルス †
     @lain cc @splitshockvirus non media proxy bros we keep winning :dude_smug: