Notices where this attachment appears
-
Embed this notice
@lain @graf Looks like there was a bit of social engineering involved. My first guess was, since poast runs Soapbox as default frontend and serves Pleroma-FE separately, the subdomain FE is on (pl.poa.st) might have not applied CSP rules, essentially giving all control over the local storage to the opened HTML with embedded JS. But that fails flat in his setup, since media is hosted on a separate domain (poastcdn.org) which should have those rules applied regardless.
Screenshot_20230526_093439.png