Forest @forestjohnson@pixie.town
- member of
- https://cyberia.club
- webmaster @
- https://capsul.org
I am a web technologist who is interested in supporting and building enjoyable ways for individuals, organizations, and communities to set up and maintain their own server infrastructure, including the hardware part.
I am currently working full time as an SRE 😫, but I am also heavily involved with Cyberia Computer Club and Layer Zero
Joined Feb 2021
Yeah I'm convinced backup is a huge difference maker.
Also probably something like coop cloud which gives an "app store" for community contributed server apps
@decentral1se @coopcloud yeah I can do 19utc
@coopcloud this is 6 am for me 😥
@reese I didn't get up till 1:30PM 😇
> kind of crazy to go online and collaboratively solve a puzzle like this
IDK I don't think its weird at all. AFAIK this has been the norm since the beginning of the internet , web2.0 and platforms just kind of pushed it into the margins. But I'm 33 and I've been part of this kind of internet Puzzle-solving for 20 years now. So to me it's not weird at all.
I'll go and edit that GitHub issue maybe close it later.
And issue on yunohost repo as well
And idk how much a sandbox like this really buys you in a web browser... I guess maybe they can stop it from phoning home by using a CSP? But it can still use things like webrtc based on what I'm reading.... So really this isn't a "seal", its just a relatively low fence. Is it worth it? Idk... I guess if you want onlyoffice, there's no substitute..
But I'd also argue that if you want security, there is no substitute for simplicity and usability, especially for the server admin. I focused on simplicity for my e2ee web app: https://git.sequentialread.com/forest/sequentialread-password-manager
@alive @notplants @j12i right, that's kinda what I meant by "cryptpad has to use the iframe to integrate with onlyoffice",
Its cuz they don't trust onlyoffice, lol. They want to sandbox it, hence the sandbox domain name. Smart to do such a thing I guess, but as we can see, it significantly increased the complexity of the app and caused issues at the level of the http infrastructure, aka, page won't load, displays network error in browser.
So I'd say this should be a cryptpad feature request, to validate that x-frame-options is absent or set correctly before trying to load the iframe. If cryptpad wants to do weird indulgent things with http its their responsibility to handle errors with that as well...
@notplants btw for context, im just guessing again here, but i know that `X-Frame-Options: SAMEORIGIN` is a common "security hardening" header that a lot of things will just blanket apply to everything. It just happens to break cryptpad. IDK why the hell cryptpad uses an iframe tho. IMO thats probably a bad idea, it makes the software more complex. I guess maybe they have to in order to easily integrate onlyoffice or whatever it is ?
@notplants another option would be to record a `pcap` file using `tcpdump` and then open it in WireShark. But WireShark is way overkill for this and honestly kinda stinks for looking at HTTP traffic.
This probably wont happen on your server but just a fair warning that httpflows live output wont work if the server is overloaded (cpu starved, etc, or if there is a lot of traffic). In that case you capture a pcap and then convert it to text files using httpflow later. https://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html
@notplants i think this header is the problem. maybe the tunnel is adding that ?
You can check by viewing the HTTP traffic at various different points. Its easy to do if its plain http with no tls. my favorite tool to do it: https://git.sequentialread.com/forest/httpflow
watch the response headers coming out of the http server and also watch the response headers on the VPS server.
httpflow should work on the app server.
If the tunnel connects to the app server via HTTPS, you might not be able to use httpflow there.
then in the browser you just use the network tab instead of httpflow.
@notplants ugh wtf is this software doing. U really nerd sniped me here, I thought it would be simple but obviously its not
@notplants oh wtf. Interesting. Sorry, can't check out the sites rn, I'll take look later. Maybe browser origin issues then? Are they on different domains inside vs outside the tunnel ?
@notplants why is there an iframe? Where is it defined
I think the problem is caused by the iframe, not the tunnel or the TLS.
These apps are just configured to refuse to run inside iframes, it looks like. So getting rid of the iframe should fix it
@technomancy I just put
```
{
"comment1": "this is not actually the event id, its the corpotron9000 upload id",
"eventId": 752572129,
...
}
```
Usually works fine. Would be nice if comments support was more widespread I guess
https://github.com/microsoft/vscode-jupyter/discussions/16164
omg, it is possible to disable the stupid "DO YOU WANT TO CREATE A JUPYTR NOTEBOOK??? DO YOU???" menu in vscode
They hid it quite well
@vkc woot! We do this too with cyberia matrix. It required maintenance from time to time, but not too bad!! Helps folks get thier foot in the door w/ matrix community, lower friction than creating a matrix account
- member of
- https://cyberia.club
- webmaster @
- https://capsul.org
I am a web technologist who is interested in supporting and building enjoyable ways for individuals, organizations, and communities to set up and maintain their own server infrastructure, including the hardware part.
I am currently working full time as an SRE 😫, but I am also heavily involved with Cyberia Computer Club and Layer Zero
Joined Feb 2021
