Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://ryona.agency/objects/d0d22afb-aa39-4733-8278-1267101a6ddb"> (mint@ryona.agency)'s status on Friday, 26-May-2023 15:39:21 JST</a><a href="https://ryona.agency/users/mint" title="mint@ryona.agency"><img src="https://gnusocial.jp/avatar/1002-48-20220724171046.webp" width="48" height="48" alt="" style="position: absolute; left: 0; top: 0;"></a><div><a href="https://lain.com/objects/0f44d4db-4340-4ea4-8cfd-01a849a88472" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/1291" title="lain@lain.com">on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ</a></li></ul></div></section><article><a href="https://lain.com/users/lain">@lain</a> <a href="https://poa.st/users/graf">@graf</a> Looks like there was a bit of social engineering involved. My first guess was, since poast runs Soapbox as default frontend and serves Pleroma-FE separately, the subdomain FE is on (<a href="http://pl.poa.st" rel="nofollow noreferrer">pl.poa.st</a>) might have not applied CSP rules, essentially giving all control over the local storage to the opened HTML with embedded JS. But that fails flat in his setup, since media is hosted on a separate domain (<a href="http://poastcdn.org" rel="nofollow noreferrer">poastcdn.org</a>) which should have those rules applied regardless.<br><a href="https://ryona.agency/media/0fcb39c9871e22783398c3f0285160830b65be7f0d30551c195ef3ba5780b8c4.png?name=Screenshot_20230526_093439.png">Screenshot_20230526_093439.png</a></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1589307#notice-3134600">In conversation</a><time datetime="2023-05-26T15:39:21+09:00" title="Friday, 26-May-2023 15:39:21 JST">Friday, 26-May-2023 15:39:21 JST</time> <span>from <span><a href="https://ryona.agency/objects/d0d22afb-aa39-4733-8278-1267101a6ddb" rel="external" title="Sent from ryona.agency via ActivityPub">ryona.agency</a></span></span><a href="https://ryona.agency/objects/d0d22afb-aa39-4733-8278-1267101a6ddb">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://pl.poa.st/">https://pl.poa.st/</a></h5><div></div></header><div></div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/1076879">Screenshot_20230526_093439.png</a></label><br><a href="https://ryona.agency/media/0fcb39c9871e22783398c3f0285160830b65be7f0d30551c195ef3ba5780b8c4.png?name=Screenshot_20230526_093439.png" rel="external">https://ryona.agency/media/0fcb39c9871e22783398c3f0285160830b65be7f0d30551c195ef3ba5780b8c4.png?name=Screenshot_20230526_093439.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/1076880">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
(mint@ryona.agency)'s status on Friday, 26-May-2023 15:39:21 JST
in reply to
- anime graf mays ?️?
- on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ
@lain @graf Looks like there was a bit of social engineering involved. My first guess was, since poast runs Soapbox as default frontend and serves Pleroma-FE separately, the subdomain FE is on (pl.poa.st) might have not applied CSP rules, essentially giving all control over the local storage to the opened HTML with embedded JS. But that fails flat in his setup, since media is hosted on a separate domain (poastcdn.org) which should have those rules applied regardless.
Screenshot_20230526_093439.png
In conversationFriday, 26-May-2023 15:39:21 JST from ryona.agencypermalink
Attachments
1. No result found on File_thumbnail lookup.
  https://pl.poa.st/
2. Screenshot_20230526_093439.png
  https://ryona.agency/media/0fcb39c9871e22783398c3f0285160830b65be7f0d30551c195ef3ba5780b8c4.png?name=Screenshot_20230526_093439.png
3. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice