this post was submitted on 16 Jun 2023
12 points (100.0% liked)
Lemmy.World Announcements
29064 readers
3 users here now
This Community is intended for posts about the Lemmy.world server by the admins.
Follow us for server news ๐
Outages ๐ฅ
https://status.lemmy.world
For support with issues at Lemmy.world, go to the Lemmy.world Support community.
Support e-mail
Any support requests are best sent to [email protected] e-mail.
Report contact
- DM https://lemmy.world/u/lwreport
- Email [email protected] (PGP Supported)
Donations ๐
If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.
If you can, please use / switch to Ko-Fi, it has the lowest fees for us
Join the team
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The headers are set inside the Lemmy binary/docker image. So unless lemmy.world would use its own build, this has to be fixed inside the LemmyNet source code. This would probably make Lemmy vulnerable to cross-site scripting, so the security aspects should probably be discussed in on the Github project.
I just did some more research into this:
When a client tries to log in, the server sends a response back with a JWT token inside the body. The client then stores this token inside an isomorphic cookie. This cookie is then used to identify the user by adding it to all requests after that.
I haven't really checked post requests, but if it is the same So let's say you visit website X, that has nothing to do with Lemmy, they could do a Fetch request in the background to lemmy.world to post spam on your behalf. Even a CSRF token could no longer protect you, as the website could just do a fetch request first to get a CSRF token.
I hope I'm wrong in some way, but to me this feels like a huge security risk.