@lain @alex @graf >Move your media and proxy to a subdomain
Yeah I'm not doing that. There are six mirrors across different networks, all of which would need to have subdomains configured somehow, even the one that is a plain IPv6 without domain (moving it to different port like I did with bloat?). Old media would still dangle in the same dir unless you introduce more overhead by putting redirects.
Speaking of media, here's my setup:
>mediaproxy is disabled as it doesn't play well with upstream proxies, the state of HTTP adapters in Erlang/Elixir is abysmal and you all know it
>nginx serves media directly from Pleroma's upload dir, adding sandbox CSP by itself and bypassing Cowboy, Oban and other shit
>since nginx doesn't analyze file contents, it sends the MIME type that is corresponding to extension, so you can't load js file uploaded as txt because it'll be text/plain or octet-stream (don't remember if that's also a default pleroma behavior or not)
>as for .js uploads themselves, they all return 403, that was one of the first things I did after the initial hack
So far I don't see how it can be exploited if there's no way to access any scripts that aren't part of frontend, due to the basic 403, CORS/CSP block on subdomain or otherwise.