Are they just an issue with wefwef or trying to use an exploit

        • 𝘋𝘪𝘳𝘬
          link
          fedilink
          arrow-up
          13
          ·
          1 year ago

          To prevent execution of scripts not referenced with the correct nonce:

          script-src 'self' 'nonce-$RANDOM'
          

          To make it super strict, this set could be used:

          default-src 'self';
          script-src 'nonce-$RANDOM'
          object-src 'none';
          base-uri 'none';
          form-action 'none';
          frame-ancestors 'none';
          frame-src 'none';
          require-trusted-types-for 'script'
          

          Especially the last one might cause the most work, because the “modern web development environment” simply cannot provide this. Also: form-action 'none'; should be validated. It should be set to self if forms are actually used to send data to the server and not handled by Javascript.

          The MDN has a good overview: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

    • Tartas1995@discuss.tchncs.de
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      I don’t know what Lemmy uses tbh. I don’t even know if the code would work when run. Like i don’t know e.g. if they grab the username(?) correctly. I just understand their intentions but yeah their execution might be horrible.

      • 𝙚𝙧𝙧𝙚@feddit.win
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        I’d be willing to bet they’re using the API to make all the changes. The cookie has the jwt token. I don’t believe you need the username (at least judging by the js API docs).

        • Tartas1995@discuss.tchncs.de
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Someone said they think it is to know if the user is admin. I haven’t verify it. And I tried to make clear that username was a guess.