Like we used to have embedded Youtube videos, etc.

Any chance we can go back to that format? Is that possible post federation? Being taken off site all the time kind of sucks, (especially if you're like me and you get logged out every time.)

  • JoeByeThen [he/him, they/them]
    ·
    8 months ago

    Those embeds were a massive security concern, imo. If we could do invidious embeds of YouTube, that'd probably be better as far as privacy goes, but loading up random PDFs are rarely a good idea.

    • MF_COOM [he/him]
      ·
      8 months ago

      Can you explain to somebody who is an idiot what the security concern is?

          • JoeByeThen [he/him, they/them]
            ·
            8 months ago

            The link in the comment you just replied to, or the post link? The post link has been deleted, but that's the convo we had around it. You can try refreshing for the convo, it works for me.

                    • Abracadaniel [he/him]
                      ·
                      8 months ago

                      All I'm clicking on is your link (https://hexbear.net/comment/568900) and I get the server error.

                      • JoeByeThen [he/him, they/them]
                        ·
                        8 months ago

                        Oooooh, I wonder if it's only letting me see it because I have a comment in the deleted post.

                        TLDR there was a pdf hosting site that was causing shady popups on hexbear

                        Here's the important bit.

                        So while we're on the topic, while it's totally normal for a rando site that isn't worried about its users being doxxed to lint opengraph tags and slap things like offsite images and iframes of youtube videos within the site's page, it is a serious security hole for your users. If some chud group wanted to come along and grab as many IPs that they could of our userbase all they've gotta do is figure out what chacha is willing to let through remotely and host that sort of content from their own site. Years back I used to do something similar on an old blog where I hosted an image on my own site that was actually a php script logging IPs of everyone that loaded it and then I'd just slap the img url into the comments of the blog. Over time that attack evolved into me figuring out how to slip javascript in place of the image and grabbed everyone's cookies, letting me log in as whomever I wanted. Loading remote iframes (like for youtube videos) is just the sort of hole I'd be looking for if I wanted to do it again. Just fyi to anyone interested.