Aurynn Shawso I've started seeing Mastodon apps fetch posts in threads from other servers directly, bypassing server blocks.
This is ... this is deeply concerning to me.
Doofus Canadensis@aurynn oh? Can you point out which ones?
@doofus_canadensis I saw tooot doing it, at the very least
@aurynn I'm annoyed that the ones I'm trying out don't honour my filters.
charlag@doofus_canadensis @aurynn people been really nagging Tusky to add some because Mastolab has it. Mastolab respects blocks somehow but it's still a shitshow
The Duality of Xan@charlag @doofus_canadensis @aurynn Frankly, the fact that apps are able to do this kind of thing at all is deeply concerning.
@XanIndigo @doofus_canadensis @aurynn I think it was actually pretending to be an AP Actor (basically like another server) so I guess it doesn't work when AUTHORIZED_FETCH is enabled (or with any GtS server). Still.
@aurynn @charlag @doofus_canadensis I’m not a software person, so I can’t form any valid opinion on the technical details. All I know is that if there’s a way to evade a block that’s so easy that these apps seemingly did it by mistake, that’s a pretty big problem.
@XanIndigo @aurynn @doofus_canadensis yeah it is and a lot of people (even Pleroma people back then) been saying it pretty loudly and I keep saying it. Mastodon makes it worse by
- not enabling the option I mentioned before by default (which is like a baseline to prevent this)
- using API access (another method) for unauthenticated web UI since 4.0
And there are more ways stuff gets leaked too which sucks majorly