Sometimes I learn things about #ActivityPub and wonder “what the hell were they smoking?” https://cyberplace.social/@GossiTheDog/114058565002752078
-
Sometimes I learn things about #ActivityPub and wonder “what the hell were they smoking?” https://cyberplace.social/@GossiTheDog/114058565002752078
-
Sometimes I learn things about #ActivityPub and wonder “what the hell were they smoking?” https://cyberplace.social/@GossiTheDog/114058565002752078
@jwildeboer lol, thankfully that's not a protocol thing.
-
@jwildeboer lol, thankfully that's not a protocol thing.
@mariusor@metalhead.club @jwildeboer@social.wildeboer.net this is mildly concerning, but is no different from an http server serving different websites for different clients.
Were they smoking things when designing http? Probably, but that's tangential
-
@julian maybe I misunderstood the post from LivingCooki, but I really don't think that HTTP has that kind of string interpolation anywhere in its protocol.
-
@jwildeboer@social.wildeboer.net actually while I'm at it, "http servers serving different things based on who's requesting it" is a foundational element of the web.
The fact that you are a "logged in" version of your app is proof of that.
-
@julian maybe I misunderstood the post from LivingCooki, but I really don't think that HTTP has that kind of string interpolation anywhere in its protocol.
-
@jwildeboer @mariusor @julian all it is is a serve returning a different response to a different client. Like I can do a website that serves you different content based on information in the request, e.g., user-agent, this is no different.
All that server has is software that replaces "$instance" with the instance indicated in the request (via http message signatures)
-
@jwildeboer @mariusor @julian all it is is a serve returning a different response to a different client. Like I can do a website that serves you different content based on information in the request, e.g., user-agent, this is no different.
All that server has is software that replaces "$instance" with the instance indicated in the request (via http message signatures)
@thisismissem It's not about if this hack is technically fine and correct, it is about the effects it causes on users that are not deep into the technical details. While this specific example was just shitposting, it can be abused for more nefarious things. So social v technical consequences, really. @mariusor @julian
-
@julian In this case I didn't interact with the server in question at all. Someone I follow boosted the toot on that server, hence my instance fetched it and got a toot back with the variable replacement which now showed up on the public feed of my instance. Leading to someone sending me a DM to check if my instance was possibly compromised. Which it wasn't. But the stole time from a visitor of my public feed, me and the company hosting my instance. LOL, I guess?
-
@julian In this case I didn't interact with the server in question at all. Someone I follow boosted the toot on that server, hence my instance fetched it and got a toot back with the variable replacement which now showed up on the public feed of my instance. Leading to someone sending me a DM to check if my instance was possibly compromised. Which it wasn't. But the stole time from a visitor of my public feed, me and the company hosting my instance. LOL, I guess?
@jwildeboer@social.wildeboer.net Right, there's a possible social engineering vector at play here, which I think makes this a little concerning.
I certainly don't like my time wasted either
