Conversation

Notices

1. Embed this notice
   dansup (dansup@mastodon.social)'s status on Tuesday, 03-Oct-2023 04:39:39 JST dansup

   in reply to

   • Talya (she/her)

   @Yuvalne Pixelfed does have X-Frame-Options but not CSP by default, I will add CSP in the next version!

   https://github.com/pixelfed/pixelfed/blob/ed20344c3e4a8c422d1e4ac8c0472accaa5cc8c3/app/Http/Middleware/FrameGuard.php#L21

   • Embed this notice
     Talya (she/her) (yuvalne@433.world)'s status on Tuesday, 03-Oct-2023 04:39:52 JST Talya (she/her)

     A new security vulnerability was found when combining #Chromium browsers with virtually all modern GPUs (Intel, Apple, Nvidia, AMD and ARM).
     Neither #Google nor any of the mentioned vendors are planning on fixing it.
     https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/

     #Mastodon, by the way, isn't vulnerable to this attack, thanks to having the `X-Frame-Options` and `Content-Security-Policy` headers. Many other fedi platforms however, including #Pixelfed, #Firefish and #Writefreely don't have them, at least when I tested.