Context: https://hexbear.net/post/159221
Hi everyone, we're excited to announce that we are ready to do the final site migration back to Lemmy. Before we actually push the new version to the main site, we want to test the new version of Lemmy we're running to catch bugs and any weird behaviour we can fix quickly before we move do the move.
The final move is (tentatively) scheduled for next weekend (downtime will be announced once this is confirmed). This is no longer the plan but it will still be soon.
We have a test Lemmy instance from a recent-ish snapshot of the site that we need people to try using. You can login with your normal account details and just post away.
Test Lemmy instance URL: https://test.hexbear.net Testing is complete.
Disclaimer: Anything you post will be nuked after a week or two, nothing is being saved from this test instance.
If you encounter a bug please let us know what happened, how we can reproduce it, and your OS & browser in the comments below. The more detail, the more likely we can fix things!
Yeah this is probably going to have to be taken seriously. imagine if a wrecker could just embed a tracking pixel in their comment and have the IP of everyone on the page that wasn't using a VPN
My recollection is that current hexbear only directly embeds from a whitelist of known sites (not necessarily trusted, just big and not actively malicious), we seem to directly embed from imgur for example, but for most things we generate and serve from hexbear.net our own thumbnail.
The version of Lemmy Hexbear currently runs on uses a thing called iframely to fetch thumbnails / summaries / video embeds from URLs people post. I'm not 100% sure how Lemmy handles this now, but they dropped iframely a long while ago.
yeahh that rings a bell. I know there is some way of doing it in modern lemmy but idk if it's working on the test instance or not rn, and some stuff is just being embedded directly in very unsafe ways
This should probably be considered before federating too, since hexbear can't control what gets posted to other instances. So maybe it could be controlled on the display side of things rather than restricting user input.
right, I think that's the only sensible way to do it, simply don't render it if it's not from a whitelisted domain