AndrewMar 5, 2025

So it turns out the geniuses over at Bluesky trust the client app to fetch, and honestly report, webpage metadata for preview cards, so with a little tinkering in the debug tools you can post whatever news stories you like and they look exactly the same as real ones.

https://bsky.app/profile/andrewt.net/post/3ljo2dja62224

Andrew (@andrewt.net)

Let's see what happens if I spoof the article metadata from the backend... https://www.bbc.co.uk/news/articles/69420

Bluesky Social
Show threadjohnaldis
@andrewt I see what you’re saying but couldn’t you do the same thing with an image editor or the web inspector?
Mar 5, 2025 at 11:27pmWeb
Show threadAndrewMar 5, 2025
@johnaldis sure, but only I would see that. this is what *everyone* sees
Show threadjohnaldisMar 5, 2025
@andrewt Oh, the *posting* client? Now I actually see what you mean—that does sound a bit more “genius”.
Show threadAndrewMar 5, 2025
@johnaldis Yeah. When you paste a URL into the web UI, it asks the Bluesky API for the title, description and thumbnail image URL, then sends that same data (hopefully) back to the server when you hit "post" for use in the preview card.
Show threadjohnaldisMar 6, 2025
@andrewt Oh, worse again! It’s actually asking their *own* API for it and round tripping? I had assumed this was because they didn’t want to fetch the page and do the work to summarise on their server, but they’re doing all that anyway? 🤦
Show threadAndrewMar 6, 2025
@johnaldis I guess it's set up this way so that (a) the card appears as a preview while you're writing, and (b) it works even when the target page has CORS protection headers set up. I see how they'd arrive at this design but it's not good
Show threadjohnaldisMar 6, 2025
@andrewt I see how you might end up here by mistake. OTOH I don’t understand the CORS point. If the Bluesky server can fetch the page to generate a preview to send to the composing client, surely the same mechanism can generate a preview to save into the completed message?
Show threadAndrewMar 6, 2025

@johnaldis Oh, I just mean they couldn't fetch the data from the posting client, so even if "they didn’t want to fetch the page and do the work to summarise on their server", they'd have to anyway.

It's all a bit moot though because they just shouldn't be doing any of this

Show threadFelix EckhardtMar 6, 2025
@andrewt @johnaldis I guess this is not a big deal to fetch something in the backend. But if you trust some information you have sent to the frontend you better sign it and check the signature afterwards. This way the content cannot be altered.
Show threadAlexander The 1stMar 7, 2025
@andrewt @johnaldis How much harder would it be for them to just...validate the metadata on their server software?
Show threadalways tiredApr 23, 2025

@andrewt @johnaldis

They could just add a MAC to this preview data so if the client changes it the server would reject the upload.

Show threadAndrewApr 23, 2025
@project1enigma @johnaldis apparently they don't want to, the theory goes that the PDS is meant to be "yours", like you could skip bluesky's server and run your own and upload anything you want to that, so there's no point in *their* server policing anything at all, since you could just work around it if you really wanted. this seems obviously silly to me, but what do i know, i'm a tech guy, not a whatever the fuck bluesky is guy
Show threadguentherMar 6, 2025

@johnaldis @andrewt

Doing it in the viewing client is also bad, because then this would be a "read receipts" feature. This is why good email clients stopped rendering remote images in HTML emails.