Should Fediverse Web apps show remote content to unauthenticated users?
Uncategorized
34
Posts
19
Posters
5
Views
-
@virtuous_sloth the browser is loading a page on a.example that calls the API at b.example (either server-side or client-side, but much easier server-side) and formats the JSON response as HTML.
@evan That is not as clear as you seem to think.
When you say "the browser is loading a page on a.example" I think you really mean "the browser is loading a page *from* a.example". When you say "that calls the API at b.example" what I think you really mean is "the browser that has loaded the page from a.example which includes javascript code then runs that code which, in the browser, makes an HTTP connection to the b.example website, using the web API there to get some data. That data is ...
-
@evan That is not as clear as you seem to think.
When you say "the browser is loading a page on a.example" I think you really mean "the browser is loading a page *from* a.example". When you say "that calls the API at b.example" what I think you really mean is "the browser that has loaded the page from a.example which includes javascript code then runs that code which, in the browser, makes an HTTP connection to the b.example website, using the web API there to get some data. That data is ...
@evan either HTML representation of the information requested (in the case of server-side, which means server-side production of HTML which is then rendered in the browser, possibly as a subsection of the loaded page from a.example) or is simply data which is then received by the javascript in the browser that is then rendered into HTML by the javascript (in the case of client side), perhaps directly modifying the DOM of the page in the browser.
Maybe. I think developers think they are being...
-
@evan either HTML representation of the information requested (in the case of server-side, which means server-side production of HTML which is then rendered in the browser, possibly as a subsection of the loaded page from a.example) or is simply data which is then received by the javascript in the browser that is then rendered into HTML by the javascript (in the case of client side), perhaps directly modifying the DOM of the page in the browser.
Maybe. I think developers think they are being...
@evan clear when they are really relying on the reader to have developer-level understanding of all the moving parts that are hinted at by plain English words that do not mean the loaded information without explicit knowledge by the reader.
I'm not a developer, have a very good understanding of where code can run in what contexts on multiple servers with data flowing between them, which is how I guess at the above, but do not know enough details to be sure.
-
@evan clear when they are really relying on the reader to have developer-level understanding of all the moving parts that are hinted at by plain English words that do not mean the loaded information without explicit knowledge by the reader.
I'm not a developer, have a very good understanding of where code can run in what contexts on multiple servers with data flowing between them, which is how I guess at the above, but do not know enough details to be sure.
@evan And yes, I know that any communication would be tortuous if you had to assume nothing of your reader.
I suppose that is why I do appreciate it when you qualify your surveys with, for example, "Full-stack developers only".
-
@evan And yes, I know that any communication would be tortuous if you had to assume nothing of your reader.
I suppose that is why I do appreciate it when you qualify your surveys with, for example, "Full-stack developers only".
@evan To be more explicit, I think I understood your explanatory reply to your original survey but wanted clarification that the repeated word "it" was referring to the user's browser, or perhaps "the user's browser running javascript loaded in the page fromm a.example".
Your first sentence response to my question seemed to confirm this. But then your followup about server-side or client-side made me wonder if my contra-example of a.example proxying interaction with b.example was correct.
-
@evan To be more explicit, I think I understood your explanatory reply to your original survey but wanted clarification that the repeated word "it" was referring to the user's browser, or perhaps "the user's browser running javascript loaded in the page fromm a.example".
Your first sentence response to my question seemed to confirm this. But then your followup about server-side or client-side made me wonder if my contra-example of a.example proxying interaction with b.example was correct.
@virtuous_sloth It's usually correct. A lot of Fediverse servers use CORS or authenticated fetch to prevent loading the data directly into the browser. I feel like you're getting very particular about how it's implemented, which is fine. If that's important to you, express why and how it affects your answer in a reply.
-
undefined evan@cosocial.ca shared this topic
-
@evan
Yes, but...- only when the original posts are public or quiet-public.
- with appropriate protections against "ai" scrapers and whatever other prevailing threats of the day. -
@virtuous_sloth It's usually correct. A lot of Fediverse servers use CORS or authenticated fetch to prevent loading the data directly into the browser. I feel like you're getting very particular about how it's implemented, which is fine. If that's important to you, express why and how it affects your answer in a reply.
@evan Very well.
I'm trying to understand even the point of the question. In my mind, a web app running in a user's browser is under the user's control, for the most part, so even if the author of the web app thinks the answer is 'no' they have little recourse for users who modify the web app to show remote content when unauthenticated.
Should an unauthenticated user have access to data on b.example is a decision for b.example. But if b.example trusts a.example and a.example proxies...
-
@evan Very well.
I'm trying to understand even the point of the question. In my mind, a web app running in a user's browser is under the user's control, for the most part, so even if the author of the web app thinks the answer is 'no' they have little recourse for users who modify the web app to show remote content when unauthenticated.
Should an unauthenticated user have access to data on b.example is a decision for b.example. But if b.example trusts a.example and a.example proxies...
@evan for unauthenticated users, then I can see the question making some sense. But your explanation implies that no proxying is being done, so I fail to see how the web client app in the browser should be the place to enforce those decisions, therefore I conclude the question doesn't make sense and from that I conclude that I am misunderstanding something.
-
@evan yes but. I haven't ever considered this very closely but I suspect that there's probably some sort of easy abuse vector here that could get me to change my mind... 🤔
-
@evan Yes, but don't do it in the UK otherwise it throws you right into compliance issues with the OSA.
With login only you can at least plausibly say all your users are over 18.
-
@fabio search and AI spiders?
-
@evan oh this is a good one
I put "No", I think I prefer a redirect to the source. Though I think I could be pretty easily convinced that as long as the post marked "public" it should be fine
-
@evan@cosocial.ca Assuming it's public content: Yes.
The privacy expectation of a "public" should be that it's public. And showing remote content to unauthenticated users is actually really useful: A huge chunk of the accounts I follow I found by scrolling through profiles on other instances, and looking at reposts. -
@evan oh this is a good one
I put "No", I think I prefer a redirect to the source. Though I think I could be pretty easily convinced that as long as the post marked "public" it should be fine
@evan Hm, thinking more on this, if an AP post is quoting a remote post I think I would expect to see the remote content on the original page so maybe I'm shifting back up to yes on my own
-
@evan … but it should be a user-configurable option to withhold even one's "public" posts from unauthenticated users.
This mitigates access by blocked harassers, requiring them the delay of creating new accounts, presumably backed by new email accounts, to even see content from users who've blocked them. That added delay and inconvenience should accelerate most trolls getting bored of, for example, screenshotting and subtooting those who they'd previously harassed directly.
-
YB...
Probably yes for "public" content.
An instance might also limit heavier content to logged-in users to avoid performance issues (e.g. protect against getting DDOSed by a bot, etc).
-
@evan no but...
It should show a digest. Publishing and archiving are distinct from social media but the open web is not.
Discord is not an open web platform. Archiving is exfiltration. But an archive of a digest is just good practice.
The Fediverse is walking and chewing gum at the same time - social media on the open web. But that doesn't mean anonymous users get the privileges of social participation. They get some amount of aggregation and summarisation but as it comes with no expectation of reciprocity it comes with no guarantee of parity.
-
@evan I could see this being something someone wants. I don’t think it’s worth the development cost, and I certainly don’t think it should be a default setting.
-
@evan I voted No, because if you're a curious onlooker checking out the Fediverse, and you start browsing all from within one website, you may mistakenly believe the website you're on *is* the Fediverse (or Mastodon since that's often the branding).
Debatable still. 🤷
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Beth Humphreys 🌺 (@producrgrl.bsky.social)
https://bsky.app/profile/producrgrl.bsky.social/post/3mezlpwlqhs2s
> #handsoff #nokings #ReleaseALLthefiles #EpsteinFiles #lovemyGov #itsthefuckingguns #midterms26 #getridofElectoralCollege #TheEpsteinBallroom #blackhistorymonth Release ALL the files NOW 25th Ammendment NOW Abolish ICE NOW 👇👇👇
-
Punk Rock History (@punkrockhistory.bsky.social)
https://bsky.app/profile/punkrockhistory.bsky.social/post/3mezpkl3i5s2j
> 47 years ago today Blondie scored their first UK No.1 album when 'Parallel Lines' started a four-week run at the top of the charts, featuring the singles 'Heart Of Glass', 'Hanging On The Telephone' and 'Sunday Girl #blondie #poppunk #newwave #punkrockhistory #otd
-
L’ordine pubblico del governo a caccia di giovani | il manifesto
https://ilmanifesto.it/lordine-pubblico-del-governo-a-caccia-di-giovani
> Diritti (Commenti) Come avviene l’arresto di un manifestante indagato per scontri di piazza? Di solito gli agenti arrivano a notte fonda o alle prime luci dell'alba, entrano in casa mai in meno di quattro con passamontagna e pettorine, l’adrenalina è quella del blitz. Quando una dozzina di agenti tra Digos e Ros alle 4.30 di notte si
-
La Germania non partecipa, nel rispetto della Costituzione | il manifesto
https://ilmanifesto.it/la-germania-non-partecipa-nel-rispetto-della-costituzione
> Germania (Internazionale) Nein danke. Puntuale, secca, inequivocabile è la risposta di Berlino alla suggestione diffusa da Roma sul possibile coinvolgimento del governo tedesco nel Board of Peace su Gaza del presidente Usa. Al contrario dell'Italia, la Germania non parteciperà in alcuna veste al nuovo organismo di governance mondiale costruito da Donald Trump, «né come partecipante, né come
-
«Stupidi e ciechi reazionari». Impressioni di febbraio
@anarchia
Che lo sgombero di Askatasuna non potesse vedere che una risposta partecipata ed energica, era praticamente scontato. Non solo per il carattere “storico” del centro sociale – e la militarizzazione permanente del quartiere Vanchiglia che èhttps://www.rivoluzioneanarchica.it/stupidi-e-ciechi-reazionari-impressioni-di-febbraio/
-
@InternetEh the 00s somehow were even worse for music than the 90s.
-
Inps, parlare con te è un’esperienza
Una (lenta) conversazione surreale che ho avuto:
-
There's a massive WhatsApp account takeover campaign in Armenia right now
This seems to be a commodity spam operation, but investigators believe the attackers are exploiting SS7 👀
