Login

Recent searches

No recent searches

Search options

Only available when logged in.
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

10K
active users

fosstodon.org: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Kagami is they/them 🏳️‍⚧️

Looking at . It uses URL as the client identifier, but what if a fake native app steals the URL of another app? How can the user know whether the URL is genuinely linked to the app in their hand? Does someone have an answer? github.com/indieweb/indieauth/

GitHubHow can IndieAuth protect users against fake clients with webviews? · Issue #121 · indieweb/indieauthBy saschanaz
Apr 01, 2023, 10:14 AM·Public
0boosts·1favorite
Public
Kagami is they/them 🏳️‍⚧️

(And what if one forces the webview to use the system browser-ish user agent string?)

Public
Stéphan Kochen

@krosylight Aaaaaah, I don't like this. This concerns portier.io as well. Why is it even possible to hijack a domain like that? I thought iOS did a HTTP probe and requires a specific response? But no idea about other platforms.

Public
Kagami is they/them 🏳️‍⚧️

@kosinus Yeah this Windows API is suspicious, but I guess any random webview can implement the similar procedure as platforms support doing random things with webviews. And I don't think there's an easy way to block webviews from the auth flow...

ExploreLive feeds
About