C. T.

@c-t-

My name is initials, I'm cool

she/her

artist, bisexual menace, smol

C. T.@c-t-3/25/2024, 4:49 PM

Alice Lia Maro @slimelia

jane, of score @janederscore3/23/2024, 5:24 AM

no offense to the people making cute little widgets on cohost and i do believe them that they've all been pretty careful to prevent themselves from accidentally building ip scrapers and such. however the fact that ethics are the only thing that appears to be preventing someone from doing that Intentionally on their own funnie little poasts is uh, Concerning

#.jtxt #its especially concerning in the wake of all the transmisogynist harassment that's been going on this week #given the opportunity i'm pretty positive a few of you would absolutely build yourself a little doxxing machine on here.

Rita!@Predstrogen3/24/2024, 11:37 AM

This page's posts are visible only to users who are logged in.

gremling irl smelly @jeady3/24/2024, 12:38 PM

This page's posts are visible only to users who are logged in.

dragongirlsnout @minecraft3/24/2024, 3:11 PM

fun fact: these are made using PHP embedded as images (since cohost doesn't sanitize img src attributes, and the requests ignore CORS since they're inline images), and unlike when your browser fetches HTML documents, PHP files and the scripts within are processed entirely on their original server and only the result is sent to your machine, so these widgets are effectively closed-source and you can only take people's word for it that they're anonymizing your data!

@loth-catgirl3/24/2024, 6:49 PM

oh this is dangerous enough to kill the site

You must log in to comment.

in reply to @janederscore's post:

Vurr ΘΔ @transientbeast3/23/2024, 5:27 AM

uh i dont have any computer lang what is that how do you avoid it

jane, of score @janederscore3/23/2024, 5:40 AM

so what i'm talking about are posts that log identifying user information in order to serve you a specific thing. the post i'm talking about rn is one that's going around that gives you a fake little "post viewing debt" counter that will update every time your computer loads the post. an older, more Blunt example is the "spongebob literally doxxes you" post, where it's a randomly-selected image from spongebob squarepants with a text element overlayed that reads out your physical location.

both of the authors of these posts have stated that they went through the effort of anonymizing the data, and the spongebob poster specifically said that the information is not logged. and again, i do believe them! the people who made those posts seem trustworthy and i don't really feel like there's anything malicious at play whatsoever.

However . the issue i have is that when users are empowered to that extent, when the only restriction on their power is their own model of ethics, what is stopping someone from building a much more sinister machine. who's to say someone hasn't Already built a much more sinister machine, hidden in a completely innocuous image post that is already circulating.

the question of "malware on cohost" is not an if but a when, and honestly there probably already Are pieces of malware circulating that no one has yet been made aware of. i'm not a compsci major, i don't know how to solve this problem without gutting the user-accessible css tools, but its something that i think would probably be an extremely high priority problem to solve if i was running the show here.

Vurr ΘΔ @transientbeast3/23/2024, 5:43 AM

oh god yeah thats, very concerning. thank you for explaining

lamp @ledlamp3/26/2024, 4:45 AM

all sites you visit know you ip, if it really bothers you you should use a proxy/vpn.

jane, of score @janederscore3/26/2024, 4:46 AM

there's a difference between a website knowing identifying information about me and a semi-anonymous user knowing identifying information about me. hope this helps!

lamp @ledlamp3/26/2024, 4:59 AM

another way this could be abused is that someone could embed a huge image file or even an image of infinite size and burn up peoples' mobile data

in reply to @Predstrogen's post:

dragongirlsnout @minecraft3/24/2024, 12:19 PM

yeah these are uh. not good. i saw one of these posts yesterday, took one look and the php script it loaded through an image embed, and decided to start blocking web requests for non-image filetypes through image src attributes.

Alice Lia Maro @slimelia3/24/2024, 12:42 PM

how did you achieve that, might i ask?

dragongirlsnout @minecraft3/24/2024, 1:01 PM

The webextension declarativeNetRequest api

unarei @noa3/25/2024, 6:55 AM

btw, requests to images on external servers can do the same thing, the server can log the request. if you want to prevent any potential external ip logging, you have to prevent any requests that go off the cohost domain & cdn. cohost themselves could do this with a content security policy if they wanted, but it would break lots of posts.

lamp @ledlamp3/26/2024, 4:42 AM

that's not going to solve anything

the external server can serve anything at any url, it can have .png extension and work the same, or it could have no extension.

dragongirlsnout @minecraft3/26/2024, 9:18 AM

Fixed that already by just blocking all third party requests.

lamp @ledlamp3/26/2024, 4:41 AM

where is the post in the screenshot?