hexbear

Oooooh, I wonder if it's only letting me see it because I have a comment in the deleted post.

TLDR there was a pdf hosting site that was causing shady popups on hexbear

Here's the important bit.

So while we're on the topic, while it's totally normal for a rando site that isn't worried about its users being doxxed to lint opengraph tags and slap things like offsite images and iframes of youtube videos within the site's page, it is a serious security hole for your users. If some chud group wanted to come along and grab as many IPs that they could of our userbase all they've gotta do is figure out what chacha is willing to let through remotely and host that sort of content from their own site. Years back I used to do something similar on an old blog where I hosted an image on my own site that was actually a php script logging IPs of everyone that loaded it and then I'd just slap the img url into the comments of the blog. Over time that attack evolved into me figuring out how to slip javascript in place of the image and grabbed everyone's cookies, letting me log in as whomever I wanted. Loading remote iframes (like for youtube videos) is just the sort of hole I'd be looking for if I wanted to do it again. Just fyi to anyone interested.