Asklemmy

43138 readers

1647 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
[email protected]: a community for finding communities

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago

MODERATORS

[email protected]

250

What are these comments on lemmy posts? (lemmy.sdf.org)

submitted 1 year ago by [email protected] to c/[email protected]

86 comments fedilink hide all child comments

Are they just an issue with wefwef or trying to use an exploit

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 18 points 1 year ago (2 children)

Doesn't Lemmy use HttpOnly cookies? This would fix any js based exploit.

[–] [email protected] 14 points 1 year ago (1 children)

Also, strict CSP would prevent it entirely.

[–] [email protected] 4 points 1 year ago (1 children)

out of curiosity, what CSP options would fix this?

[–] [email protected] 13 points 1 year ago

To prevent execution of scripts not referenced with the correct nonce:

script-src 'self' 'nonce-$RANDOM'

To make it super strict, this set could be used:

default-src 'self';
script-src 'nonce-$RANDOM'
object-src 'none';
base-uri 'none';
form-action 'none';
frame-ancestors 'none';
frame-src 'none';
require-trusted-types-for 'script'

Especially the last one might cause the most work, because the "modern web development environment" simply cannot provide this. Also: form-action 'none'; should be validated. It should be set to self if forms are actually used to send data to the server and not handled by Javascript.

The MDN has a good overview: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

[–] [email protected] 4 points 1 year ago (1 children)

I don't know what Lemmy uses tbh. I don't even know if the code would work when run. Like i don't know e.g. if they grab the username(?) correctly. I just understand their intentions but yeah their execution might be horrible.

[–] [email protected] 4 points 1 year ago (1 children)

I'd be willing to bet they're using the API to make all the changes. The cookie has the jwt token. I don't believe you need the username (at least judging by the js API docs).

[–] [email protected] 2 points 1 year ago

Someone said they think it is to know if the user is admin. I haven't verify it. And I tried to make clear that username was a guess.