@NEETzsche @alex the advice was still correct, i just found a separate exploit that wasn't used, apparently. The one I found is fixed by the CSP setting, the more general one that we found in our oembed parser/pleroma-fe is being fixed by a new release we're preparing, but moving the media and proxy to their own domains like alex recommended will also fix both issues.