205
submitted 1 year ago by hedge@beehaw.org to c/technology@beehaw.org
you are viewing a single comment's thread
view the rest of the comments
[-] curiousgoo@beehaw.org 10 points 1 year ago

Uhh.. not clear on what you're claiming here... you can validate the traffic is going to the expected instance using a web app, without requiring any special software by running Developer tools and heading to the network tab.

[-] AnarchoYeasty@beehaw.org 9 points 1 year ago* (last edited 1 year ago)

Web front ends currently require a backend service that then routes to your intended destination because Lemmy servers by default are configured with cors to only allow requests from their intended domain. There is a PR to fix it but I don't believe it's been merged in. This may be out of date but that was true as of a few weeks ago per the dev of Voyager which is the web frontend I use

edit: this is no longer true. A PR 2 weeks ago fixed this issue and web front ends are able to work just as well as a native app now.

[-] aserraric@discuss.tchncs.de 9 points 1 year ago

I've looked at the traffic, and all calls go directly to the API of my instance. I don't think Alexandrite even runs a backend.

[-] AnarchoYeasty@beehaw.org 3 points 1 year ago

Turns out the cors issue was fixed the other week. Nevermind then.

[-] curiousgoo@beehaw.org 8 points 1 year ago* (last edited 1 year ago)

I see, but how is this different in a phone app? Wouldn't the request still be made to a backend?

[-] AnarchoYeasty@beehaw.org 5 points 1 year ago

1.) Turns out this is no longer true because the cors issue is fixed as of two weeks ago.

But to answer your question:

Well that's the really silly part about it. You see, the way CORS works is that it only works if the client making the request implements cors. In this case when I say client I'm talking about your web browser itself. Native applications, or hitting an API directly via network calls, don't implement cors and thus you can make the calls all you want and the server responds. So even when cors was configured to only allow requests from the correct domain it only affected people with web browsers.

However two weeks ago a PR was merged into the Lemmy source code setting the cors to by default allow requests from anyone instead of a specific domain.

[-] anlumo@feddit.de 1 points 1 year ago

That checks it only for the current session, though. The app might do nefarious things only on new moons, or on a specific date. It might also get updated at any point with completely new code without you noticing.

[-] GammaGames@beehaw.org 1 points 1 year ago
[-] anlumo@feddit.de 2 points 1 year ago

Same level of paranoia that makes someone check the dev tools for data transfers in the first place.

this post was submitted on 21 Jul 2023
205 points (100.0% liked)

Technology

37708 readers
386 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS