Possible issue for a site like hexbear, could we get a setting to disable auto displayed images in user submissions which don't originate from hexbear.net? Could be a security concern if a wrecker posts image urls originating from their own website. Then they can (in theory) log the IP addresses of every hexbear user who views the comments of a post, for example.
Maybe an alternative (if it's easier) is to hide the image until a user clicks it. But that might fuck with the emojis.
To replicate: make a comment with an image url that isn't hexbear, it will be displayed automatically.
Yeah this is probably going to have to be taken seriously. imagine if a wrecker could just embed a tracking pixel in their comment and have the IP of everyone on the page that wasn't using a VPN
My recollection is that current hexbear only directly embeds from a whitelist of known sites (not necessarily trusted, just big and not actively malicious), we seem to directly embed from imgur for example, but for most things we generate and serve from hexbear.net our own thumbnail.
The version of Lemmy Hexbear currently runs on uses a thing called iframely to fetch thumbnails / summaries / video embeds from URLs people post. I'm not 100% sure how Lemmy handles this now, but they dropped iframely a long while ago.
yeahh that rings a bell. I know there is some way of doing it in modern lemmy but idk if it's working on the test instance or not rn, and some stuff is just being embedded directly in very unsafe ways
This should probably be considered before federating too, since hexbear can't control what gets posted to other instances. So maybe it could be controlled on the display side of things rather than restricting user input.
Possible issue for a site like hexbear, could we get a setting to disable auto displayed images in user submissions which don't originate from hexbear.net? Could be a security concern if a wrecker posts image urls originating from their own website. Then they can (in theory) log the IP addresses of every hexbear user who views the comments of a post, for example.
Maybe an alternative (if it's easier) is to hide the image until a user clicks it. But that might fuck with the emojis.
To replicate: make a comment with an image url that isn't hexbear, it will be displayed automatically.
Firefox 112.0.1, linux
Yeah this is probably going to have to be taken seriously. imagine if a wrecker could just embed a tracking pixel in their comment and have the IP of everyone on the page that wasn't using a VPN
My recollection is that current hexbear only directly embeds from a whitelist of known sites (not necessarily trusted, just big and not actively malicious), we seem to directly embed from imgur for example, but for most things we generate and serve from hexbear.net our own thumbnail.
The version of Lemmy Hexbear currently runs on uses a thing called iframely to fetch thumbnails / summaries / video embeds from URLs people post. I'm not 100% sure how Lemmy handles this now, but they dropped iframely a long while ago.
yeahh that rings a bell. I know there is some way of doing it in modern lemmy but idk if it's working on the test instance or not rn, and some stuff is just being embedded directly in very unsafe ways
This should probably be considered before federating too, since hexbear can't control what gets posted to other instances. So maybe it could be controlled on the display side of things rather than restricting user input.
right, I think that's the only sensible way to do it, simply don't render it if it's not from a whitelisted domain