Should Fediverse Web apps show remote content to unauthenticated users?
Uncategorized
34
Posts
19
Posters
5
Views
-
@virtuous_sloth It's usually correct. A lot of Fediverse servers use CORS or authenticated fetch to prevent loading the data directly into the browser. I feel like you're getting very particular about how it's implemented, which is fine. If that's important to you, express why and how it affects your answer in a reply.
@evan Very well.
I'm trying to understand even the point of the question. In my mind, a web app running in a user's browser is under the user's control, for the most part, so even if the author of the web app thinks the answer is 'no' they have little recourse for users who modify the web app to show remote content when unauthenticated.
Should an unauthenticated user have access to data on b.example is a decision for b.example. But if b.example trusts a.example and a.example proxies...
-
@evan Very well.
I'm trying to understand even the point of the question. In my mind, a web app running in a user's browser is under the user's control, for the most part, so even if the author of the web app thinks the answer is 'no' they have little recourse for users who modify the web app to show remote content when unauthenticated.
Should an unauthenticated user have access to data on b.example is a decision for b.example. But if b.example trusts a.example and a.example proxies...
@evan for unauthenticated users, then I can see the question making some sense. But your explanation implies that no proxying is being done, so I fail to see how the web client app in the browser should be the place to enforce those decisions, therefore I conclude the question doesn't make sense and from that I conclude that I am misunderstanding something.
-
@evan yes but. I haven't ever considered this very closely but I suspect that there's probably some sort of easy abuse vector here that could get me to change my mind... 🤔
-
@evan Yes, but don't do it in the UK otherwise it throws you right into compliance issues with the OSA.
With login only you can at least plausibly say all your users are over 18.
-
@fabio search and AI spiders?
-
@evan oh this is a good one
I put "No", I think I prefer a redirect to the source. Though I think I could be pretty easily convinced that as long as the post marked "public" it should be fine
-
@evan@cosocial.ca Assuming it's public content: Yes.
The privacy expectation of a "public" should be that it's public. And showing remote content to unauthenticated users is actually really useful: A huge chunk of the accounts I follow I found by scrolling through profiles on other instances, and looking at reposts. -
@evan oh this is a good one
I put "No", I think I prefer a redirect to the source. Though I think I could be pretty easily convinced that as long as the post marked "public" it should be fine
@evan Hm, thinking more on this, if an AP post is quoting a remote post I think I would expect to see the remote content on the original page so maybe I'm shifting back up to yes on my own
-
@evan … but it should be a user-configurable option to withhold even one's "public" posts from unauthenticated users.
This mitigates access by blocked harassers, requiring them the delay of creating new accounts, presumably backed by new email accounts, to even see content from users who've blocked them. That added delay and inconvenience should accelerate most trolls getting bored of, for example, screenshotting and subtooting those who they'd previously harassed directly.
-
YB...
Probably yes for "public" content.
An instance might also limit heavier content to logged-in users to avoid performance issues (e.g. protect against getting DDOSed by a bot, etc).
-
@evan no but...
It should show a digest. Publishing and archiving are distinct from social media but the open web is not.
Discord is not an open web platform. Archiving is exfiltration. But an archive of a digest is just good practice.
The Fediverse is walking and chewing gum at the same time - social media on the open web. But that doesn't mean anonymous users get the privileges of social participation. They get some amount of aggregation and summarisation but as it comes with no expectation of reciprocity it comes with no guarantee of parity.
-
@evan I could see this being something someone wants. I don’t think it’s worth the development cost, and I certainly don’t think it should be a default setting.
-
@evan I voted No, because if you're a curious onlooker checking out the Fediverse, and you start browsing all from within one website, you may mistakenly believe the website you're on *is* the Fediverse (or Mastodon since that's often the branding).
Debatable still. 🤷
-
@evan I voted "Yes, but" before I read your explanation post.
I was thinking of features such as server A showing a "From around the Fediverse" list of posts, perhaps "curated" with high numbers of likes or retoots (to avoid objectional content accidentally being shown).
I'm not a fan of server A becoming a de facto proxy to the rest of Fedi. A web crawl could destroy a small server by using it like a CDN. Not sure what is a good approach (my lack of knowledge, not that there isn't one).
-
@evan Yes but only because I can't think of a reason NOT to
Gli ultimi otto messaggi ricevuti dalla Federazione
-
-
Did this "militant" directly initiate violence?
-
Fuori i nomi! Vojo la lista de staggente che trama contro er governo e l'idea de stato votata democraticamente da laggente
Ah no, mica parlo de massoneria deviata...
Vojo sapé chi ha donato paa campagnia der NO ar referendum
-
@peterkotrcka divertiti e goditi la giornata!
-
Oggi eclissi di Sole nell'emisfero australe. Sarà anulare in alcune zone dell'Antartide
https://www.timeanddate.com/eclipse/solar/2026-february-17
-
@runoutgroover Exactly.
-
@musicvsartstuff
Welcome to the club. 💪🏻
-
Nuova prova generale del lancio della missione Artemis II verso la Luna. Le attività inizieranno alle 0.40 italiane e si concluderanno nella notte italiana fra giovedì e venerdì. In base all'esito la NASA deciderà quando partire. Prima data utile il 6 marzo
https://www.nasa.gov/blogs/missions/2026/02/16/nasa-eyes-next-wet-dress-rehearsal-for-artemis-ii/
