• 2 Posts
  • 16 Comments
Joined 1 year ago
cake
Cake day: June 27th, 2023

help-circle











  • Right now, every request passes through wefwef.app and on to the Lemmy instance (it’s acting as a proxy). From my understanding this is due to a lack of CORS support but that will be fixed in a future Lemmy update.

    There is also the privacy/security issue since your session token and what you are browsing on Lemmy passes through this same proxy. Which also will be fixed with CORS support.

    If you setup your own self hosted instance you don’t need to worry about these issues.




  • Does this mean that theoretically you could capture a user’s session token or credentials? Since they are passing through your proxy server and not directly going to a Lemmy instance for auth.

    Edit: By the way, love the app. It is by far the best for browsing Lemmy. I love the Apollo feel to it.

    Edit 2: I saw your comment on Github and I think the answer to my question is “yes, it is theoretically possible to steal the users session token.” I would also assume this security/privacy risk would exist for ALL Lemmy apps where you login.

    To be clear, I am building a web client for Lemmy called wefwef. https://github.com/aeharding/wefwef/ Currently, I have to proxy all requests to an intermediary server I control. This is not just extra work, but has security and privacy ramifications. So please, check out how Mastodon does it (you can inspect requests with Elk) and check out how it can directly connect to any Mastodon server, since they all allow CORS *. TLDR I think it’s actually more secure to have CORS * for all Lemmy instances, because it allows 3rd party web clients to directly connect to a Lemmy instance.