Conversation

Notices

1. Embed this notice
   Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: (kirby@mstdn.starnix.network)'s status on Friday, 26-May-2023 21:34:04 JST Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:

   • meso

   @meso is the asbestos fine

   • Embed this notice
     meso (meso@asbestos.cafe)'s status on Friday, 26-May-2023 21:34:03 JST meso

     in reply to

     • meso
     @kirby If Allah chooses to protect us, we embrace that. If Allah chooses that we too must fall, we accept that.
     Alex Gleason likes this.
   • Embed this notice
     meso (meso@asbestos.cafe)'s status on Friday, 26-May-2023 21:34:04 JST meso

     in reply to
     @kirby probably
   • Embed this notice
     Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: (kirby@mstdn.starnix.network)'s status on Friday, 26-May-2023 22:45:34 JST Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:

     in reply to

     • paulo
     • meso

     @meso @paulo this apparently mitigates the problem too

     location ~ ^/(media|proxy) {
     add_header Content-Security-Policy "sandbox;";

     Alex Gleason likes this.
   • Embed this notice
     meso (meso@asbestos.cafe)'s status on Friday, 26-May-2023 22:45:35 JST meso

     in reply to

     • paulo
     @kirby @paulo tried dunno how it didnt work
   • Embed this notice
     meso (meso@asbestos.cafe)'s status on Friday, 26-May-2023 22:45:36 JST meso

     in reply to

     • paulo
     @paulo @kirby
     
     location /api/pleroma/admin { deny all; }
     location /api/v1/pleroma/admin { deny all; }
   • Embed this notice
     Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: (kirby@mstdn.starnix.network)'s status on Friday, 26-May-2023 22:45:36 JST Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:

     in reply to

     • paulo
     • meso

     @meso @paulo this is just for denying access to adminfe you should deny all javascript files on media as well

   • Embed this notice
     paulo (paulo@marsey.moe)'s status on Friday, 26-May-2023 22:45:38 JST paulo

     in reply to

     • meso
     @meso @kirby what are the silly lines :marseyclueless:
   • Embed this notice
     Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: (kirby@mstdn.starnix.network)'s status on Friday, 26-May-2023 22:45:39 JST Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:

     in reply to

     • meso

     @meso did you put the silly nginx lines in the config

   • Embed this notice
     meso (meso@asbestos.cafe)'s status on Friday, 26-May-2023 22:45:39 JST meso

     in reply to
     @kirby did it as soon as gleason posted them
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 23:03:06 JST Alex Gleason

     in reply to

     • nekobit
     • meso
     @meso @kirby @nekofag I have confirmed that this in fact does not work.
   • Embed this notice
     meso (meso@asbestos.cafe)'s status on Friday, 26-May-2023 23:03:08 JST meso

     in reply to

     • nekobit
     • meso
     @kirby @nekofag works
   • Embed this notice
     meso (meso@asbestos.cafe)'s status on Friday, 26-May-2023 23:03:09 JST meso

     in reply to

     • nekobit
     @kirby try adding this if you want @nekofag
   • Embed this notice
     Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: (kirby@mstdn.starnix.network)'s status on Friday, 26-May-2023 23:07:37 JST Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:

     in reply to

     • Alex Gleason
     • nekobit
     • meso

     @alex @meso @nekofag sandbox implies that this is being run isolated, can you grab cookies with a script and these rules

   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 23:07:37 JST Alex Gleason

     in reply to

     • nekobit
     • meso

     @kirby @meso @nekofag It simply isn’t how CSP works. When you request /, you get the CSP then and there. It doesn’t matter what the CSP headers are on requests made from inside that page. Resources are either allowed or blocked before they’re requested, not after you have a response.

   • Embed this notice
     Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug: (kirby@mstdn.starnix.network)'s status on Friday, 26-May-2023 23:11:31 JST Kirby :koronesmile: :koronebonk: :koroneThink: :korone_smug:

     in reply to

     • Alex Gleason
     • nekobit
     • meso

     @alex @meso @nekofag so you're saying that it's just a nice looking label and the web browser doesn't actually isolate it (the script) from much

   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 23:11:31 JST Alex Gleason

     in reply to

     • nekobit
     • meso
     @kirby @meso @nekofag CSP absolutely does work and is necessary. It specifically prevents this type of attack. But you have to move your media to a subdomain for it to work properly.
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 23:12:03 JST Alex Gleason

     in reply to

     • nekobit
     • Eric Zhang
     • meso
     @EricZhang456 @kirby @meso @nekofag And if you do that... your website will be a plain white screen.
   • Embed this notice
     Eric Zhang (ericzhang456@pl.starnix.network)'s status on Friday, 26-May-2023 23:12:04 JST Eric Zhang

     in reply to

     • Alex Gleason
     • nekobit
     • meso

     @kirby @alex @meso @nekofag just do script-src none;

   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 00:34:49 JST Alex Gleason

     in reply to

     • Arrian
     • nekobit
     • meso
     @Arrian @meso @kirby @nekofag "sandbox" is the not magic term. Including a CSP header at all puts the page into whitelist mode, and you can't unwhitelist a resource you already whitelisted.
   • Embed this notice
     Arrian (arrian@jvpiter.net)'s status on Saturday, 27-May-2023 00:34:51 JST Arrian

     in reply to

     • Alex Gleason
     • nekobit
     • meso
     Works on Firefox for me. Brave doesn't handle "Content-Security-Policy: sandbox;" correctly?