mstdn.starnix.network is one of the many independent Mastodon servers you can use to participate in the fediverse.
Starnix is a Fediverse/ActivityPub Focused platform. Topics are mainly Technology and computer related but are not required to fall into those categories.

Server stats:

26
active users

kirby
Quiet public

@meso is the asbestos fine

meso
Quiet public
@kirby probably
kirby
Quiet public

@meso did you put the silly nginx lines in the config

meso
Quiet public
@kirby did it as soon as gleason posted them
paulo
Quiet public
@meso @kirby what are the silly lines :marseyclueless:
meso
Quiet public
@paulo @kirby

location /api/pleroma/admin { deny all; }
location /api/v1/pleroma/admin { deny all; }

@meso @paulo this is just for denying access to adminfe you should deny all javascript files on media as well

meso
Quiet public
@kirby @paulo tried dunno how it didnt work
meso
Quiet public
@kirby try adding this if you want @nekofag
meso
Quiet public
Alex Gleason
Public
@meso @kirby @nekofag I have confirmed that this in fact does not work.
:archlinux: :alpinelinux: :blobcat_flop:
Public
@alex @meso @kirby @nekofag not much of a sandbox
kirby
Quiet public

@alex @meso @nekofag sandbox implies that this is being run isolated, can you grab cookies with a script and these rules

Alex Gleason
Quiet public

@kirby @meso @nekofag It simply isn’t how CSP works. When you request /, you get the CSP then and there. It doesn’t matter what the CSP headers are on requests made from inside that page. Resources are either allowed or blocked before they’re requested, not after you have a response.

kirby
Quiet public

@alex @meso @nekofag so you're saying that it's just a nice looking label and the web browser doesn't actually isolate it (the script) from much

Eric Zhang
Quiet public

@kirby @alex @meso @nekofag just do script-src none;

Alex Gleason
Quiet public
@EricZhang456 @kirby @meso @nekofag And if you do that... your website will be a plain white screen.
Alex Gleason
Quiet public
@kirby @meso @nekofag CSP absolutely does work and is necessary. It specifically prevents this type of attack. But you have to move your media to a subdomain for it to work properly.
Matty-kun
Public
Hmm, so NGINX CSP doesn't work in this regard?
Arrian
Public
Works on Firefox for me. Brave doesn't handle "Content-Security-Policy: sandbox;" correctly?
Arrian
Public
nevermind it works on Brave too
Alex Gleason
Public
@Arrian @meso @kirby @nekofag "sandbox" is the not magic term. Including a CSP header at all puts the page into whitelist mode, and you can't unwhitelist a resource you already whitelisted.
Arrian
Public
@alex @meso @kirby @nekofag Yeah I was testing incorrectly
(⁠◠⁠‿⁠・⁠)⁠—⁠☆
Quiet public
@meso @kirby i dont use nginx
meso
Quiet public
@nekofag @kirby oh right. it adds content-security-policy: sandbox to any resource in media/proxy, should be easy to make an equivalent for apache. i think you already did something so it might not be necessary but still a nice security tweak
paulo
Quiet public
@kirby @meso :naruhodo:
i know nothing of nginx, where exactly so i put that

is that enough, do you actually need media under a subdomain
meso
Quiet public
@kirby @paulo depends on where you put it, you can put it anywhere inside sites-available

the way it works is sites-available is just a random directory, in apache it meant something but it's just a directory to store configs that don't do anything, then you symlink those configs to sites-enabled/ folder and you include sites-enabled/* inside nginx.conf so that all the configs there which are symlinked work
kirby
Quiet public

@meso @paulo sites-available is symlinked to sites enabled on debian I think (and hope)

paulo
Quiet public
@kirby @meso the whole folder?
i don't think so, i remember making the syslink for the files themselves
kirby
Quiet public

@paulo @meso oh well then just go to sites enabled

meso
Quiet public
@paulo @kirby i just make symlinks, if it symlinks the two folders entirely there's no point to it, just use a confs/ directory or something and include it in nginx
meso
Quiet public
@paulo @kirby give me access to your server unironically (alternatively put it inside the server block in your pleroma nginx config file
paulo
Quiet public
@meso @kirby still in bed :marseysleep: