Like we used to have embedded Youtube videos, etc.
Any chance we can go back to that format? Is that possible post federation? Being taken off site all the time kind of sucks, (especially if you're like me and you get logged out every time.)
Those embeds were a massive security concern, imo. If we could do invidious embeds of YouTube, that'd probably be better as far as privacy goes, but loading up random PDFs are rarely a good idea.
Can you explain to somebody who is an idiot what the security concern is?
The link in the comment you just replied to, or the post link? The post link has been deleted, but that's the convo we had around it. You can try refreshing for the convo, it works for me.
All I'm clicking on is your link (https://hexbear.net/comment/568900) and I get the server error.
Oooooh, I wonder if it's only letting me see it because I have a comment in the deleted post.
TLDR there was a pdf hosting site that was causing shady popups on hexbear
Here's the important bit.
So while we're on the topic, while it's totally normal for a rando site that isn't worried about its users being doxxed to lint opengraph tags and slap things like offsite images and iframes of youtube videos within the site's page, it is a serious security hole for your users. If some chud group wanted to come along and grab as many IPs that they could of our userbase all they've gotta do is figure out what chacha is willing to let through remotely and host that sort of content from their own site. Years back I used to do something similar on an old blog where I hosted an image on my own site that was actually a php script logging IPs of everyone that loaded it and then I'd just slap the img url into the comments of the blog. Over time that attack evolved into me figuring out how to slip javascript in place of the image and grabbed everyone's cookies, letting me log in as whomever I wanted. Loading remote iframes (like for youtube videos) is just the sort of hole I'd be looking for if I wanted to do it again. Just fyi to anyone interested.
im not sure about that, but I have been tempted to fork my own client