Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.
Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.
Oh I see. Yeah that sounds pretty hopeless. Does it use the fetching site’s domain validated TLS certificate? Is the idea to permit fetching unless the fetching domain is on a blacklist? If yes, someone didn’t have their thinking cap on. The whole concept is dumb though, there is no way to prevent posts from leaking. The saying is that once 3 people know a secret, it is no longer secret.