@julian eh? I mean, sure, or just detect whether the request is a GET / HEAD / OPTIONS request, and then don't send the content-type header? (since those methods don't support request bodies iirc)
La nuova BBS è in fase Alpha. I post precedenti al 22 luglio 2024 potrebbero non essere trasferibili, ma rimarranno disponibili per la lettura su /old/.
Post
-
RE: Pleroma Webfinger compatibilitypostato in Uncategorized
-
RE: Pleroma Webfinger compatibilitypostato in Uncategorized
@julian which actually makes sense, because with a GET request, you're not sending any request content, and Content-Type applies to the request body, not to the content type you want back.
-
RE: Pleroma Webfinger compatibilitypostato in Uncategorized
@julian oh! it's because you're sending the Content-Type header, send Accept instead.
-
RE: Pleroma Webfinger compatibilitypostato in Uncategorized
@julian try sending `Accept: application/jrd+json`
Since that's the content-type for webfinger, not application/json. In fedify, the fetch call is also with redirect manual, such that max redirection logic and SSRF checks can be done.
-
RE: Pleroma Webfinger compatibilitypostato in Uncategorized
@julian fedify manages it, so many take a look at their webfinger implementation?
-
RE: @julian in your webfinger controller for nodebb, you could support discovery of the instance actor via url:postato in Uncategorized
@puppygirlhornypost2 @trwnh @julian context for where this came from: trying to figure out if a given nodebb server is currently federating (i.e., has AP enabled)
-
RE: @julian in your webfinger controller for nodebb, you could support discovery of the instance actor via url:postato in Uncategorized
@julian I was going to contribute it, but uhhh, no can do: https://github.com/NodeBB/NodeBB/issues/13391
I don't see a clearly documented path for development, so whilst I could probably make the required code change, I can't verify it would work
-
@julian in your webfinger controller for nodebb, you could support discovery of the instance actor via url:postato in Uncategorized
@julian in your webfinger controller for nodebb, you could support discovery of the instance actor via url:
https://community.nodebb.org/.well-known/webfinger?resource=https://community.nodebb.org/
Where the resource is exactly `base_url` from nconf
-
RE: As someone who has developed several #ActivityPub software implementations ([Fedify], [Hollo], [BotKit], and [Hackers' Pub]), I believe one of the most frustrating features to implement in the #fediverse is #custom_emoji.postato in Uncategorized
@hongminhee I know there's a FEP for emoji reactions, but I don't think there's ever been one for custom emojis? https://codeberg.org/fediverse/fep/src/branch/main/fep/c0e0/fep-c0e0.md
-
RE: As someone who has developed several #ActivityPub software implementations ([Fedify], [Hollo], [BotKit], and [Hackers' Pub]), I believe one of the most frustrating features to implement in the #fediverse is #custom_emoji.postato in Uncategorized
@hongminhee sounds like there needs to be a better FEP written, one which encourages alt text for custom emojis?
-
RE: This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.postato in Uncategorized
@julian you're still receiving the vulnerability reports directly with the Fediverse Security Fund; we pay *after* you've confirmed & patched.
I wasn't aware of your bug bounty program, but could list that alongside your project.
-
RE: This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.postato in Uncategorized
@quillmatiq @nivenly it's something I'm really proud of, and hopefully it can help do some good.
-
RE: This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.postato in Uncategorized
aaand aaah, TechCrunch have covered the announcement! Thanks @Sarahp!
A new security fund opens up to help protect the fediverse | TechCrunch
A new security fund aims to help apps in the fediverse — like Mastodon, Threads, and Pixelfed — to pay researchers for disclosing security bugs.
TechCrunch (techcrunch.com)
-
RE: This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.postato in Uncategorized
@Sbectol oh, good catch! My brains' off in the clouds today, I swear
-
RE: This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.postato in Uncategorized
We also know that GitHub Sponsors isn't super ideal for payments, but it's a way for us to test the program and ensure compliance with KYC/AML and various other legal requirements.
Hopefully in the future we'll be able to offer more ways to pay the bounties out, if the program continues.
-
RE: This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.postato in Uncategorized
One of the interesting clauses on the program is that we expect researchers and contributors to follow the Nivenly Covenant when reporting security vulnerabilities to be eligible for the program.
We want to encourage positive contributions, after we've seen several announcements of security vulnerabilities where the reporter treated the project with disregard or insulted the team behind it. That isn't cool.
We can together all make a safer fediverse.
-
RE: This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.postato in Uncategorized
@janl told y'all I was announcing something this week that I'm incredibly proud of!
-
This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.postato in Uncategorized
This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.
You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.
I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)
-
RE: TIL: @nodebb uses it's own implementation of the HTTP Message Signatures algorithm, and it's not particularly long.postato in Uncategorized
@julian@fietkau.social @nodebb @julian@community.nodebb.org I'm still thinking we really only need one implementation of HTTP Message Signatures in each language though, tbh.
We currently have like three or four in javascript? (fedify, nodebb, misskey, peertube)