Conversation
Notices
-
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 01:25:01 JST 
Alex Gleason
wtf @lain, both of these statements are wrong. The CSP header doesn't work. And it does not depend on media proxy being enabled. The best way to mitigate this issue is to move your media uploads to a subdomain. -
Tadano ❄️🎅 (tadano@amala.schwartzwelt.xyz)'s status on Saturday, 27-May-2023 01:25:01 JST 
Tadano ❄️🎅
@alex Weren't poast's media uploads already on a separate domain entirely? I don't recall ever opening a Poast image/video that didn't go to a poastcdn.org link. 🌲Number 1 Pleroma Criminal on XBL 🇵🇱|🇺🇸 likes this. -
🌲Number 1 Pleroma Criminal on XBL 🇵🇱|🇺🇸 (phenomx6@fedi.pawlicker.com)'s status on Saturday, 27-May-2023 01:25:44 JST 
🌲Number 1 Pleroma Criminal on XBL 🇵🇱|🇺🇸
akkoma already added CSP:
https://akkoma.dev/AkkomaGang/akkoma/commit/9d83a1e23f3fde933ec990736fd77a8adb2e4803
It should exist, the last thing you want are XSS attacks in 2023 which is what got KF recently too. -
CrunkLord420 (crunklord420@rdrama.cc)'s status on Saturday, 27-May-2023 02:23:26 JST 
CrunkLord420
@alex @Tadano @PhenomX6 from the secret KF hardened repo. likes this. -
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:23:27 JST
Alex Gleason
@PhenomX6 @Tadano THE CSP DOESN'T WORK THE CSP DOESN'T WORK -
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:23:27 JST
Alex Gleason
@PhenomX6 @Tadano God I swear all Pleroma devs are retarded. -
(mint@ryona.agency)'s status on Saturday, 27-May-2023 02:27:01 JST 
@alex >The CSP header doesn't work
Is that so? Upload some script and an HTML file linking that script, then open the HTML in browser. With sandbox or script-src none, it won't execute. -
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:31:19 JST
Alex Gleason
@mint I did that, it allowed it. See this explanation: https://noagendasocial.com/@eriner/110436086362053523 -
(mint@ryona.agency)'s status on Saturday, 27-May-2023 02:31:19 JST
@alex That applies to the arbitrary files you can upload as a server administrator, not to the upload you can do as an user. I've already tested uploading HTML and SVG with scripts, and they don't seem to execute anything when opened and served with sandbox CSP. -
(mint@ryona.agency)'s status on Saturday, 27-May-2023 02:35:22 JST
@alex @Tadano @PhenomX6
image.png -
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:55:04 JST
Alex Gleason
@mint Well that's because the content-type is text/plain. It's been discovered there are ways to upload files on Pleroma and get back application/json, etc. -
(mint@ryona.agency)'s status on Saturday, 27-May-2023 02:55:04 JST
@alex Both the HTML and JS I've uploaded as a test on an instance without fixes have their corresponsive content type.
https://cum.salon/media/e93c9c8ad8610cab03ae3206937c936e5b347d269a1bfe569b3df891b0cdc5ff.js
https://cum.salon/media/cf4ecc921543ef7622271b8d505c2dc9fdc6f4d48bf8fe932d89204207ca5844.html
Nothing executes, at least in Firefox. -
(mint@ryona.agency)'s status on Saturday, 27-May-2023 02:58:00 JST
@alex If there's something that can load JS from /, you've got worse problems than just a possible XSS. -
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:58:01 JST
Alex Gleason
@mint Okay, but both those files are are in /media. You’ll be able to load the JS file in / just fine.
-
All 076萌SNS content and data are available under the 