jkap

CEO of posting

butch jewish dyke
part of @staff, cohost user #1
married to @kadybat

This user can say it
osu stats


🐘 mastodon
xoxo.zone/@jkap
🖼️ icon credit
twitter.com/osmoru
🐦 twitter
not anymore lol

staff
@staff

happy normal thursday of no consequence! as far as we know, nothing else is happening today. just a normal thursday the 20th.

big week this week! jae’s health has been Steadily Improving and so we actually shipped some shit! but first: news on a New Feature, a eulogy for a longstanding bug, and a conclusion to its bounty.

two-factor authentication is going live tomorrow!

two-factor authentication is finally, actually, for real going to ship tomorrow. you’ll be able to find it in your user settings. there’s a note at the bottom of the post for people running bots. if that’s you, read it. if it’s not, don’t read it. or do. whatever.

RIP the CORS image upload bug (we think)

first off: despite firefox claiming this was a CORS problem, it actually wasn’t. thanks to actionable information from @drewbabe, we determined the true cause: poorly constructed URL block lists.

for performance, we upload images directly to our storage provider (Digital Ocean Spaces, an S3-compatible service operated by not-Amazon) instead of routing through our servers on the way. for legacy reasons related to how cloudflare worked, we had to upload straight to Digital Ocean’s domain instead of using one we control.

one of the popular anti-phishing lists available in a number of ad blockers (uBlock Origin, AdGuard, Pi-Hole) consumes a bunch of upstream blocklists, strips the path off of them, and blocks the entire hosting domain. this is Bad because these upstream blocklists are specifically designed to block only a single URL, not an entire domain. to put it another way, the lists are designed to include no false positives — and as a result there’s no way to get a URL off of them — but because of how they’re being consumed, the version you can add to your ad blocker blocks a large number of false positives.

that big list of false positives included three different regions at Digital Ocean, one of which is the one we used (SFO3). for some reason, when this was tripped, firefox reported it as a CORS error, which made discovering the true issue impossible for us.

we now route image uploads to our CDN domain (something we can do because of how fastly works vs. how cloudflare works) so we shouldn’t get blocked again by this list.

an aside: if you’re using this phishing filter list (”Phishing URL Blocklist” in uBlock Origin), it’s broken in such a way that it’s probably breaking a lot of stuff silently. you can keep it on if you want, but if a lot of the web has been subtly broken since you started running an ad blocker, this might be at fault.

we think this was the only issue, but if you’re still seeing problems please let us know.


the rest of the changes

  • released the rest of the new @dzuk designed eggbug emoji we teased last week!
    • these are limited to cohost plus! subscribers. if you’re not subscribed, consider changing that! only $5 per month and the best way to help keep us going.
  • made changes to how we load attachment thumbnails
  • new graphic on the login page! log out to see it!
  • fixed an issue with our deployment process that made deploys fail if they happened too close together
    • not if they overlapped (not possible), just if they happened within like an hour of each other. jae is very glad this one is fixed.
  • fixed a bug where user notes could prevent a page from being deleted
  • fixed a bug where shared posts by pages that had since become private would leak information about the share (tags, dates, etc)
    • shares where all posts in the thread are private or deleted are now fully hidden.

that’s all for this week! thanks for using cohost!


a quick note on 2fa for unofficial API users

if you run a cohost bot built on any of the unofficial client libraries, the old login API is not capable of logging in user accounts with two-factor authentication enabled. the old API is internally deprecated, but will continue to work (minus the 2fa caveat) until our public API has been released. if your bots are on the same account as your main page, you should setup a second cohost account with only your bots on it and use that login for posting. please e-mail us at support@cohost.org for assistance getting your bot pages moved over.

if you’re not running a bot, this doesn’t impact you! keep posting as normal.


You must log in to comment.

in reply to @staff's post:

does anyone know what’s going on when cohost will occasionally load into a new tab prefaced by the entire screen filling with a large blue closeup of the logo. i dont wanna call it a bug because it’s fun, like a shiny pokemon, but i am more than a little curious

fascinating! fwiw, the way umatrix works is by modifying CSP headers to convince the browser to not load scripts etc from particular domains, so i wouldn't be at all surprised if ublock origin uses CORS to prevent xhr to blocked domains

but then i don't know why it would overwhelmingly show up from only firefox. i mean, it's the same codebase. maybe chrome users just love ads??

I remember from a browser poll several months ago that Cohost folk are weirdly disproportionately Firefox users, so not sure if that impacts it. Conceivably at this juncture in Chrome's market dominance being a Firefox user now entails having made a certain kind of choice, like being an Opera user used to—some of our vendor web apps for instance only work in Chrome, just like the good old "Designed for IE6" days :D—and that persona also entails being more likely to use an ad-blocker. (disclaimer: used to be an Opera user, now use nothing but FF, had not seen this bug yet)