bark

bark. bark bark

@bark

  • they

puppy. woof!!

log inask
rss feed....
me.doggirl.gay/feed.xml
bark
@bark

hey it's in the patch notes now so

🐕

can i get an uhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh.. burgr pls...

oops

while fiddling with trying to center some images within the page description (kinda related to the puppy button!), @delan and i realised that

oh yeah,markdown hastables
and theyhave some textalignment options
such as
leftcenterand right

maybe we could make a table with a single column, expand the row until it fills the sidebar, and then use the center alignment to center the image?

well. no. img elements in the sidebar are display: block, so they don't undergo text layout. bummer.

ok, now it's time for delan to be adorable and make a really wide table cell that just says awawawawawawawawawwawawa (that is, /^a(wa)+$/).

a screenshot of just the very bottom of delan's profile. she's got some old web style icons (annoyingly left-aligned), below which is a wide table cell containing "awawawawawa" that just barely extends outside the sidebar and into the gap between the sidebar and posts column on her profile page.

💭 oh. that's weird.

the table cell gets wide. really wide. wide enough to escape the confines of the page's sidebar and overlap the posts. let's have a laugh about this and then forget

⏭️ smash cut to the next day ⏭️

ah. shit.

a screenshot of cohost where a bunch of the page is covered by a mostly transparent image with hand-written text that says "the clickjack zone". there's a badly drawn eggbug in the corner too.

the user's cursor is over the link to @bark-test, but in tiiiiiny text down in the bottom left, it's actually a link to https://google.com. oops.

since imgs are max-width: 100%, they're more than happy to expand to fill their container. and because the table is Wide, it's now a very big container, and the image can cover the whole page. that's a little worse than just some text poking out.

if we wrap the image in a markdown link, though, now a good portion of clicks in the ui will actually interact with the user-controlled sidebar link instead of the intended target. uhhhh, fuck.

if we get really evil, and make the image truly transparent,

basically the same screenshot, but zoomed in to only the sidebar and the profile link the cursor is hovering over. there's no longer an obvious image covering everything.

so yeah, of course this still works. but now it's invisible and you can't tell you're suffering Hijinks unless you pay close attention to the link callout and your cursor being a pointer over most of the page.

its wednesday baby. youknow what that means. its time to drink precisely no beer and email security@cohost.org

i've sent an email to security@cohost.org. you can't read the subject, since the column has been shrunk such that only the letters "un..." are visible.

(keep in mind that the page description shows up in single post views too, so Ooops you can also clickjack someone if they open your post by itself. that actually seems a lot worse than the profile issue, thinking back)

so yeah. thanks staff for the quick response and shoutout in the patch notes. that was cool. thanks for making cohost, too. woof 🐶

You must log in to comment.

in reply to @bark's post:

vogon
@vogon

lmao this completely missed my attention when you first posted it and I only saw it just now when you posted about it not getting attention

great writeup, love reading more about how you figured this one out

login to reply