this post was submitted on 10 Jul 2023
771 points (98.9% liked)

Lemmy.World Announcements

28381 readers
2 users here now

This Community is intended for posts about the Lemmy.world server by the admins.

Follow us for server news 🐘

Outages πŸ”₯

https://status.lemmy.world

For support with issues at Lemmy.world, go to the Lemmy.world Support community.

Support e-mail

Any support requests are best sent to [email protected] e-mail.

Report contact

Donations πŸ’—

If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.

If you can, please use / switch to Ko-Fi, it has the lowest fees for us

Ko-Fi (Donate)

Bunq (Donate)

Open Collective backers and sponsors

Patreon

Join the team

founded 1 year ago
MODERATORS
 

We've installed Voyager and it's reachable at https://m.lemmy.world, you can browse Lemmy, and login there (also if your account isn't on lemmy.world)

PS Thanks go out to @stux@[email protected] , he came up with the idea (see https://m.geddit.social).

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 9 points 1 year ago* (last edited 1 year ago) (1 children)

wefwef is an app, a webapp. Usually reachable under wefwef.app
You can install it as a progressive webapp through your browser.
This now is rehosting the files of wefwef on the m.lemmy.world domain, basically a fork that promises to keep in sync with the official codebase and the official domain. ~~The m.lemmy.world domain shouldn't need any connection to lemmy.world, it is basically not much different to a filehoster that hosts an apps apk~~. That is why I don't think m.lemmy.world even sees your credentials if you log in anywhere.

As to why, I'm not sure what the use of this is. Maybe in case the official domain goes offline?

[–] [email protected] 17 points 1 year ago (3 children)

That's because when you use wefwef through wefwef.app, your data goes through wefwef.app before going to the instance, the app AFAIK does not communicate directly with the instances yet. You basically have to decide whether you trust wefwef.app enough to proxy your data through them.

Using m.lemmy.world would mean your data goes through lemmy.world directly, which you already chose to trust.

[–] [email protected] 5 points 1 year ago (1 children)

Oh, you are almost right, I was wrong. Checking the network traffic it seems images (and some parts of posts?) are fetched directly, but other elements are fetched through wefwef.app, namely everything that needs the users session. maybe this is done to process some lemmy outputs serverside into for example the notification icon? This surprised me, I was confident the only requests to wefwef.app would be static elements and the code itself.

[–] [email protected] 19 points 1 year ago* (last edited 1 year ago) (2 children)

This is to get around CORS. @[email protected] just fixed CORS on lemmy.world 15 minutes ago (things move fast on Lemmy, lol) so I'll push an update to direct connect for lemmy.world tonight!

Edit: done βœ…

[–] [email protected] 1 points 1 year ago (1 children)

This is about cors headers on the api calls? That only don't affect other apps because they are offline and ignore cors?

[–] [email protected] 5 points 1 year ago (1 children)

Native apps don’t have CORS restrictions. They can make http requests anywhere.

Only web apps in a browser have this limitation.

[–] [email protected] 1 points 1 year ago (2 children)

Makes sense, never thought about that. An annoying situation, I wonder how many security issues would crop up if browsers allowed ignoring cors for pwas...

Currently apicalls are proxied through the server but end up with the lient all the same, with the session being stored in local storage "credentials"?
Will you currate a manual whitelist for direct calls or have the app test if direct fails and fall back to proxied?

[–] [email protected] 3 points 1 year ago

At this point it's manual. We could do some intelligent detection, but at the pace Lemmy dev is moving, I don't think it's worth it. The goal is to rip out the proxy completely once there's a bit more time for most servers to upgrade, and also https://github.com/LemmyNet/lemmy/issues/3567 is resolved.

[–] [email protected] 1 points 1 year ago

Why not add a new tier to pwas. You need to only use cookies scoped to your own domain, you get a new container without any existing session cookies etc. for other websites, but cors is dropped.
That should prevent carelessly putting auth tokens into cookies and should replace cors in that sensitive sessions are containered away and all existing data for other websites that where slopily created somehow are isolated.

After all for the way wefwef works for example I see no benefit to cors

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago)

Hey is it dynamic or you have to add a list of instances to direct connect?

Update: sorry, just saw your answer below πŸ€·β€β™‚οΈ

[–] [email protected] 5 points 1 year ago (3 children)

Okay what If I am already using wefwef than my data is already passed through wefwef, so there is no benefit now? or still I should logout with wef wef and use m.lemmy.world?

[–] [email protected] 4 points 1 year ago

Most things passing through are public anyway, as lemmy is allmost entirely public. The only privat info is your password and wefwefs session. Those are visible in clear to the server, so could in theory be logged. If you change your password (and invalidate your sessions) after wefwef switches to direct you should be good.

[–] [email protected] 3 points 1 year ago

This.

I can understand why people say all of this is bemusing and discombobulated, haha.

[–] [email protected] 1 points 1 year ago

Stopping the stream of data is always possible. You can use google daily until you suddenly don't, the steam of data is (or probably just the proccessing of your queries in this case) stops.

[–] [email protected] 3 points 1 year ago (1 children)

It would surprise me if that was the explanation since this can be easily fixed by Lemmy.world itself by not sending two Accept-Control-Allow-Origin headers, thus breaking web clients.

Right now, I'm forced to route my own calls to my server on the app I'm making because Lemmy.world is misconfigured.

I guess that for instance below 0.18.1, it makes sense, since Lemmy had a bug at that point that didn't allow web clients to connect.

[–] [email protected] 8 points 1 year ago (1 children)

Oh I thought I had fixed this. Can you re-check and DM me if it's still not right?

[–] [email protected] 3 points 1 year ago

It works, thanks!