So, I suppose Calckey has nothing to worry about regarding this Pleroma fiasco. ☕

@adiz It appears only pleroma+forks are affected. Not that there aren't other zerodays or attack vectors for the other softwares.

@splitshockvirus @adiz as pete said its a nginx issuse, but their is also the rich text thing thats geting fixed though

@dcc @adiz

Maybe we should just use the nginx config from mastodon since they know how to write CSP ​

@dcc @adiz

Oh wait all mastodon's CSP are handled internally ​

@splitshockvirus @adiz i just checked and they are not lol, they are on pleroma though

@dcc @adiz

mf I've been over this with you in the past, the CSPs on mastodon are the reason seamonkey didn't work on my website. the CSPs are in the ruby code.

@splitshockvirus @dcc @adiz What are CSPs anyway?

@james @dcc @adiz https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Headers that prevent media from behaving a certain way in the browser.

@splitshockvirus @dcc @adiz Oh yeah those. Heard the full term mentioned earlier today.

@james @dcc @adiz

In short BloatFE users were vindicated.

@splitshockvirus @dcc @adiz Was bloat vulnerable to this attack, or just Pleroma-FE and Soapbox?

@james @dcc @splitshockvirus @adiz just pleromafe
lain gaive the rundown

pretty much a exploit in how pleroma renders link previews

@theorytoe @dcc @james @adiz

​ turn this off, do the csp thing, 403 any .js .svg .exe .html .sh .askdfa;dka;sdfkjasldfj files

and then wait for pleroma to give an actual patch.