CSP is harder to lock down for sites like fe.soapbox.pub whose purpose is to connect to arbitrary domains. I can at least limit js execution, but images cannot have limitations so it's good the browser restricts svg features in img tags.
I was thinking about exposing the media baseurl over the API and then having the ServiceWorker intercept fetch requests to that host, and drop any harmful content-types. Which is insane, but would offer an extra layer.
Alex Gleason /
npub108…uyev6
2023-09-07 18:40:21
in reply to nevent1q…ejgd
Author Public Key
npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6Published at
2023-09-07 18:40:21Event JSON
{
"id": "f928d743ad22f9117cd2083117a338637df6cc32880bc557f6a9a2dd45e752e5",
"pubkey": "79c2cae114ea28a981e7559b4fe7854a473521a8d22a66bbab9fa248eb820ff6",
"created_at": 1694112021,
"kind": 1,
"tags": [
[
"p",
"dde9dd6efbaf3c747c06bfd60f732666acd686e4c2eff471937f0c7c5fca5e0e",
"wss://relay.mostr.pub"
],
[
"e",
"17bfe07ae1e1d74564ca4d5d68312af1f31b9fe4fb17971e8a8f86e66e4ba2e3",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://gleasonator.com/objects/21b90ff8-0d35-418f-836d-a741157c4f1a",
"activitypub"
]
],
"content": "CSP is harder to lock down for sites like fe.soapbox.pub whose purpose is to connect to arbitrary domains. I can at least limit js execution, but images cannot have limitations so it's good the browser restricts svg features in img tags.\n\nI was thinking about exposing the media baseurl over the API and then having the ServiceWorker intercept fetch requests to that host, and drop any harmful content-types. Which is insane, but would offer an extra layer.",
"sig": "ad88695764993e87fc7238e27f48184f163802feebf4782a8b74ae142bbc8e4a857c908224e5e9727f6c29a72297eb94a49126b5db8330b59f2df099f9ea2ff0"
}