jeremycherfas, [Murray], [Ana_Rodrigues], [jgmac1106], hirusi, geoffo, schmudde, jolvera, [chrisaldrich], [tw2113_Slack_], [snarfed], sp1ff, gxt, swentel, KartikPrabhu, nickodd, [pfefferle], shoesNsocks, shoesNsocks1 and [chrisaldrich]1 joined the channel; nickodd left the channel
#[snarfed]hey aaronpk did you think much about how to secure your OYG browser extension? i’m struggling with that for bridgy’s
#[snarfed]maybe doesn’t matter for you if yous is self-contained. bridgy’s won’t be, though, and i haven’t yet figured out how to prevent people from going under the covers and fabricating arbitrary responses
#[snarfed]wondering if i can reuse ideas from PKCE, but not sure how yet
[schmarty] joined the channel
#[snarfed]specifically, if the browser extension just fetches from IG and passes the fetched HTML/JSON on to Bridgy, the attack is to forge that IG HTML/JSON and send it directly to Bridgy
#[snarfed]i thought about trust on first use, ie give the client a token when they first send an IG profile to create a Bridgy account, but that’s just as easily forged
#[snarfed]the only reasonable defense i’ve come up with is to IndieAuth the user, check for bidirectional rel-me on IG, and then include the IndieAuth token in every request. ugh
#aaronpkoh huh, yeah i don't have that problem on mine because the user has to indieauth first anyway in order for the extension to be able to send the micropub request
#[snarfed]ok, so you don’t really care about validating the contents since they can only post to their own site
#aaronpkyeah the worst someone can do is make the extension send stuff to their own website in my case
#aaronpkin your case I'd expect something similar, where the worst they could do is make bridgy send a webmention to their own site, but not to other sites
#aaronpkdo you make them sign in with anything on bridgy to set it up?
#[snarfed]technically bridgy already has a u-url that’s off domain, so the spoofing threat is no greater than spoofing directly on their own server, but in practice i think a bunch of people semi special case bridgy
#[snarfed]not yet, still deep in development. was hoping to avoid it, but based on this, i’ll probably have to
#aaronpki guess even aside from the extension details, you'd probably want to avoid someone being able to set up webmentions for someone else's instagram account to arbitrary websites
#[snarfed]maybe. all of this “spoofing” via u-url is doable now independent of bridgy, but bridgy should hold higher standard due to its reputation
#aaronpksorta, i think it's more about making sure bridgy can't be used to attack arbitrary websites
[tantek] joined the channel
#[snarfed]right, due to its current level of trust. since if the “attack” is just fabricating arbitrary responses with external u-urls on instagram.com, anyone can do that directly, without bridgy
[Rose], [KevinMarks], shoesNsocks, schmudde, [tw2113_Slack_] and [Raphael_Luckom] joined the channel