Aurynn ShawJan 29, 2023

so I've started seeing Mastodon apps fetch posts in threads from other servers directly, bypassing server blocks.

This is ... this is deeply concerning to me.

Show threadSimon ZerafaJan 29, 2023

@aurynn

@jerry Would there be a way to block this or would that just end up in an arms race? πŸ«€πŸ€·β€β™‚οΈ

Show threadAurynn ShawJan 29, 2023
@simonzerafa @jerry Server admins could block apps that do this in their webserver, by checking for the useragent? beyond that, telling app devs to not do this
Show threadSimon ZerafaJan 29, 2023

@aurynn @jerry

Blocking based on User Agent isn't likely to end well? πŸ€”πŸ€·β€β™‚οΈ

Show threadAurynn ShawJan 29, 2023
@simonzerafa @jerry I didn't say it's a good idea, it's just the only one I can think of
Show threadSimon ZerafaJan 29, 2023

@aurynn @jerry

It was might first thought also and would be shot down if an app or client pretended to be Google Chrome.

Really unpleasant behaviour if clients are doing this type of bypassing though.

Show threadJerry πŸ¦™πŸ’πŸ¦™Jan 29, 2023
@simonzerafa @aurynn I believe this is symptomatic of the big misunderstanding of blocks and defederation.
Show threadSimon Zerafa

@jerry @aurynn

Very likely a deliberate strategy to bypass blocks and de-federation.

Jan 29, 2023 at 7:38pmWeb
Show threadJerry πŸ¦™πŸ’πŸ¦™Jan 29, 2023
@simonzerafa @aurynn I’m less convinced this is the result of an attempt to circumvent blocks and more of a side effect of how the apps are collecting posts, combined with the reality that blocking an instance doesn’t actually block the instance (by default, at least)
Show threadAurynn ShawJan 29, 2023

@jerry @simonzerafa I agree that it's not meant for block circumvention, it just has that effect and will expose users to hate speech and other garbage and I won't have the ability to suppress that for my users.

Which is *bad*.

Show threadAlexander BochmannJan 29, 2023

@aurynn @jerry @simonzerafa Unauthenticated apps can only fetch the same posts that are visible on the public web interface via the API. Doing that removes some work for the app user (opening a post in a browser to see the thread).

If the home instance of the user is blocked, they shouldn't be able to make their instance pull the post in order to interact with it, but as others have said, blocks are leaky, and while secure mode / AUTHORIZED_FETCH should make it better, that has some additional drawbacks...

I'm not saying this is good, or the way it should be. But the public API functionality has been there all the time, just with very few apps actually using it. Mastodon itself doing such a bad job at completing threads drives development of alternative solutions.

Show threadAurynn ShawJan 29, 2023

@galaxis @jerry @simonzerafa I had to go and disable authorized_fetch since it was breaking bird.makeup, which is where the civil defence are mirrored, for the current state of emergency in Auckland.

I agree, this is a place where Mastodon core should have a gossip protocol feature, and communicate more of this stuff.

Show threadJerry πŸ¦™πŸ’πŸ¦™Jan 29, 2023
@aurynn @galaxis @simonzerafa I expect it’s a bit of a support nightmare even in times of calm.
Show threadAurynn ShawJan 29, 2023
@jerry @galaxis @simonzerafa No one said running an instance would be easy or fun πŸ˜‰