Those embeds were a massive security concern, imo. If we could do invidious embeds of YouTube, that'd probably be better as far as privacy goes, but loading up random PDFs are rarely a good idea.
hexbear
Now that the old Hexbear fork has been officially abandoned, this community will be used as a space for meta-discussion on the site itself.
Can you explain to somebody who is an idiot what the security concern is?
The link gives me a server error?
The link in the comment you just replied to, or the post link? The post link has been deleted, but that's the convo we had around it. You can try refreshing for the convo, it works for me.
I also get a server error, refresh does nothing.
What's the error?
It's literally just a white page that says "Server error"
Don't click on the deleted post, read the comments.
All I'm clicking on is your link (https://hexbear.net/comment/568900) and I get the server error.
Oooooh, I wonder if it's only letting me see it because I have a comment in the deleted post.
TLDR there was a pdf hosting site that was causing shady popups on hexbear
Here's the important bit.
So while we're on the topic, while it's totally normal for a rando site that isn't worried about its users being doxxed to lint opengraph tags and slap things like offsite images and iframes of youtube videos within the site's page, it is a serious security hole for your users. If some chud group wanted to come along and grab as many IPs that they could of our userbase all they've gotta do is figure out what chacha is willing to let through remotely and host that sort of content from their own site. Years back I used to do something similar on an old blog where I hosted an image on my own site that was actually a php script logging IPs of everyone that loaded it and then I'd just slap the img url into the comments of the blog. Over time that attack evolved into me figuring out how to slip javascript in place of the image and grabbed everyone's cookies, letting me log in as whomever I wanted. Loading remote iframes (like for youtube videos) is just the sort of hole I'd be looking for if I wanted to do it again. Just fyi to anyone interested.
Thank you. That's some good posting right there.
Welcome.
im not sure about that, but I have been tempted to fork my own client