Security of TikTok embeds

magic9mushroom · Sep 4, 2024

It appears that QQ now supports TikTok embeds.

Vanbers said:
Behold, the bane of SB Moderators:

View: https://www.tiktok.com/@potatoblast/video/7343899144932560161

Link

TikTok is known Chinese spyware and possibly a Great Cannon of China vector. I am greatly concerned that QQ is embedding active TikTok code on the site. I don't want to have to shut down JavaScript on QQ just to ensure I have zero contact with TikTok's systems (the video autoplayed when I opened the spoiler; I was expecting screenshots or a link).

Discuss/assuage/act/etc.

riotous living · Sep 4, 2024

magic9mushroom said:
TikTok is known Chinese spyware and possibly a Great Cannon of China vector. I am greatly concerned that QQ is embedding active TikTok code on the site. I don't want to have to shut down JavaScript on QQ just to ensure I have zero contact with TikTok's systems (the video autoplayed when I opened the spoiler; I was expecting screenshots or a link).

Discuss/assuage/act/etc.

No idea about the spyware part, but if you use security extensions like Privacy Badger it auto-blocks the popup on firefox and chrome.

Even if I click allow once FireFox/other extensions block it from loading

TMTMTM · Sep 4, 2024

magic9mushroom said:
It appears that QQ now supports TikTok embeds.

TikTok is known Chinese spyware and possibly a Great Cannon of China vector. I am greatly concerned that QQ is embedding active TikTok code on the site. I don't want to have to shut down JavaScript on QQ just to ensure I have zero contact with TikTok's systems (the video autoplayed when I opened the spoiler; I was expecting screenshots or a link).

Discuss/assuage/act/etc.

To be frank, TikTok isn't any more spyware than YouTube or any other average big tech website. Your data is and has been open for purchase long before TikTok and TikTok probably won't change that. The main reason TikTok has a reputation for spyware is because it's a Chinese company and anti Chinese sentiment is a very popular political tool regardless of circumstance.

As for the cannon DDoS thing, china doesn't need a vector for that. They just do it. Having a website is a Vector for DDoS attacks, because to have a website you have an address which can receive traffic.

magic9mushroom · Sep 4, 2024

TMTMTM said:
As for the cannon DDoS thing, china doesn't need a vector for that. They just do it. Having a website is a Vector for DDoS attacks, because to have a website you have an address which can receive traffic.

I think you may be misinterpreting what I mean by "vector for the Great Cannon", and ignorant of the full extent of the Great Cannon.

The Great Cannon is the weaponisation of the Chinese internet backbone; certain key nodes are compromised, and will stochastically inject hostile data. This may be a redirect to perform DDoS, but it may also be malware. I am referring to the compromised nodes that inject data as "vectors" for the Great Cannon. I legitimately do not know if TikTok's servers are behaving as such a vector; ByteDance is in deep enough with the CPC (the reason they haven't sold TikTok is because the CPC ordered them not to) that it's plausible, but the Great Cannon vectors I know about are men-in-the-middle (typically Chinese ISPs and such) rather than endpoints.

Due to the Great Cannon, I do not want to touch any website whose servers are physically in Mainland China (due to the Great Cannon vectors in-between me and them), and I do not want to touch any server run by somebody that is known-loyal to the CPC. Any such contact is "run a full virus scan and pray" land for me, and when dealing with nation-state actors one has to pray pretty hard that the virus scan would actually catch it.

And yes, the Five Eyes also do this to some extent, but that's totally unavoidable for someone physically in the Anglosphere (as I am) or accessing a site physically in the Anglosphere (as QQ is), and also is significantly less of a problem since the Equation Group is well-known for avoiding collateral damage if at all possible.

TMTMTM · Sep 4, 2024

magic9mushroom said:
Due to the Great Cannon, I do not want to touch any website whose servers are physically in Mainland China (due to the Great Cannon vectors in-between me and them), and I do not want to touch any server run by somebody that is known-loyal to the CPC. Any such contact is "run a full virus scan and pray" land for me, and when dealing with nation-state actors one has to pray pretty hard that the virus scan would actually catch it.

As someone currently studying csec I can tell you upfront that you're being comically paranoid. It's also worth noting that china has a vested interest in not killing it's economy by burning any goodwill they have with ISPs globally. And no, visiting a site can't install malware on your PC unless you're running a unupdated copy of windows Vista or something. Just install a noscript addon on your browser if you're truly worried about it.

magic9mushroom · Sep 4, 2024

TMTMTM said:
It's also worth noting that china has a vested interest in not killing it's economy by burning any goodwill they have with ISPs globally.

Those incentives turn on their head if the jig's soon to be up anyway (which, on checking the date, isn't actually completely out of the cards right now), and in any case the PRC has a noted pattern of "ignore norms, laugh as Westerners eat their shit in order to get access to the Chinese market".

TMTMTM said:
And no, visiting a site can't install malware on your PC unless you're running a unupdated copy of windows Vista or something.

I am suspicious of this logic when state-level actors are involved. This is part of why I'm more worried about TikTok than I would be about, say, YouTube (the other part is that, well, Google doesn't have much of a motive to deploy a Great Cannon of its own).

alethiophile · Sep 5, 2024

Huh.

I had not really realized that the server now supported Tiktok embeds. Unfortunately, this functionality comes from an addon that supports a wide variety of media sites, and there isn't an easy way to select them on or off one by one.

I currently rate the probability of malicious software in the Tiktok embed as nonzero, but not high enough for ordinary users to bother with. However, for people who estimate it differently, I endorse the use of a blocker addon to turn off the embed client-side. (This is more complicated on mobile, but should still be possible with the right DNS shenanigans.)

1986ctcel · Sep 5, 2024

This thread's OP: "EVIL CHINA WILL NUKE EVERYONE'S COMPUTERS! TIK TOK IS SPYWARE/MALWARE!"

Meanwhile, Murrican corporations are actively installing spyware on peoples' smartphones so they can use the microphones to listen to your IRL conversations to harvest more data to sell to advertisers

https://futurism.com/the-byte/facebook-partner-phones-listening-microphone

In a pitch deck to prospective customers, one of Facebook's alleged marketing partners explained how it listens to users' smartphone microphones and advertises to them accordingly.

As 404 Media reports based on documents leaked to its reporters, the TV and radio news giant Cox Media Group (CMG) claims that its so-called "Active Listening" software uses artificial intelligence to "capture real-time intent data by listening to our conversations."

"Advertisers can pair this voice-data with behavioral data to target in-market consumers," the deck continues.

In the same slideshow, CMG counted Facebook, Google, and Amazon as clients, though it didn't specify whether they were involved in the "Active Listening" service. After 404 reached out to Google about its partnership, the tech giant removed the media group from the site for its "Partners Program."

Together with this latest update to the CMG saga, these stories bolster longstanding suspicions about advertisers using our phones to listen to us.

"We know what you're thinking. Is this even legal?" a since-deleted Cox blog post from November 2023 noted. "It is legal for phones and devices to listen to you. When a new app download or update prompts consumers with a multi-page term of use agreement somewhere in the fine print, Active Listening is often included."

Beyond taking a big game, CMG did not cop to how it acquires its alleged voice data, instead saying only that it can identify users who are "ready-to-buy" and create targeted ad lists based on their interests. For this service, the media group that specializes in hyperlocal news charges $100 per day to target folks in a 10-mile radius, and $200 per day to target those in a 20-mile radius.

Given that the company boasted about it on its public — and still archived — website before anyone began paying attention, however, it seems like it would be pretty hard at this juncture to deny that it was charging for its eavesdropping services.

Users with functioning brains know what the real privacy threat is that they need to worry about and it's not fantasies about China nuking the internet with a DDOS attack or installing shit on your computer through TikTok embeds.

TMTMTM · Sep 5, 2024

magic9mushroom said:
I am suspicious of this logic when state-level actors are involved. This is part of why I'm more worried about TikTok than I would be about, say, YouTube (the other part is that, well, Google doesn't have much of a motive to deploy a Great Cannon of its own).

Microsoft and Google already have literally all your possible data, including keystrokes. Are you aware of just how much telemetry data Windows ends up phoning home with? Or Google for that matter? That's how you get leaks like that recent data broker one where over a million social security numbers were leaked because the broker had the passwords in a unsecured zip file visible via page inspection.

Incompetence of companies you've never (and have, for that matter) heard of is a greater threat to your security than a Chinese Boogeyman will every be, statistically speaking.

magic9mushroom · Sep 5, 2024

TMTMTM said:
Microsoft and Google already have literally all your possible data, including keystrokes.

I don't think Google has my keystrokes except for those I've put into Google sites. I'm using Ungoogled Chromium, which has all Google's spyware removed.

Microsoft definitely does; it's not worth the changeover costs for this computer, but the next computer I have will be Linux.

TMTMTM said:
Incompetence of companies you've never (and have, for that matter) heard of is a greater threat to your security than a Chinese Boogeyman will every be, statistically speaking.

Beyond what I've already noted (i.e. it is currently September 2024), I'm not going to be drawn into a lengthy discussion of world politics on a board that bans politics. I'm hoping I wind up looking the fool, and there's a reasonable chance I do, but I'm not counting on it.

alethiophile said:
However, for people who estimate it differently, I endorse the use of a blocker addon to turn off the embed client-side.

I'm not really that up-to-speed with addons; could you (or someone else) suggest a decent one for Chrom(ium)?

1986ctcel said:
Users with functioning brains know what the real privacy threat is that they need to worry about

I will note that there can be (and is) more than one privacy threat; that there are problems with X does not mean that there are no problems with Y.

(Also, I have no smartphone and no Facebook.

)

raiz delasol · Sep 5, 2024

What adblocker should i download or what do you recommend for mobile. It been heating my phone up when I opened the videos

alethiophile · Sep 5, 2024

magic9mushroom said:
I'm not really that up-to-speed with addons; could you (or someone else) suggest a decent one for Chrom(ium)?

Someone up-thread suggested Privacy Badger. I just tried it with uBlock Origin, basically the standard; it doesn't block it by default, but you can add the custom filter:

Code:

||tiktok.com^$3p

Note that uBlock Origin, and maybe others, might have problems in Chrome due to the upcoming Manifest v3 issue. I don't know how or whether that will apply to Ungoogled Chromium.

TMTMTM · Sep 5, 2024

magic9mushroom said:
Beyond what I've already noted (i.e. it is currently September 2024), I'm not going to be drawn into a lengthy discussion of world politics on a board that bans politics. I'm hoping I wind up looking the fool, and there's a reasonable chance I do, but I'm not counting on it.

I may have come off as a bit hostile, I would like to clarify I don't think you're stupid or foolish for your concerns. I just think you're being a bit more paranoid than is probably warranted. As long as you have a good advert and a good tracker blocker installed you're already gonna be safe from 90% of common internet threats assuming you don't click or download and run anything excessively suspicious.

As for blockers, Unlock origin plus Ghostery. Ghostery has a adblocker and a tracker blocker, but you can (and should) disable the adblocker to just get the trackers blocked.

raiz delasol said:
What adblocker should i download or what do you recommend for mobile. It been heating my phone up when I opened the videos

I recommend downloading Firefox and just watching videos on there. The mobile version of Firefox supports Unlock.

evildice · Saturday at 12:37 PM

alethiophile said:
Huh.

I had not really realized that the server now supported Tiktok embeds. Unfortunately, this functionality comes from an addon that supports a wide variety of media sites, and there isn't an easy way to select them on or off one by one.

I currently rate the probability of malicious software in the Tiktok embed as nonzero, but not high enough for ordinary users to bother with. However, for people who estimate it differently, I endorse the use of a blocker addon to turn off the embed client-side. (This is more complicated on mobile, but should still be possible with the right DNS shenanigans.)

I'd be in favor of removing all live embeds.

TikTok might be the most overtly suspicious, but I don't really want any social media site or other outside library recording & selling my activity on QQ.

magic9mushroom · Saturday at 2:30 PM

evildice said:
I'd be in favor of removing all live embeds.

TikTok might be the most overtly suspicious, but I don't really want any social media site or other outside library recording & selling my activity on QQ.

YouTube's worth it, considered on its own. It's nearly impossible to fully avoid Google's tracking anyway (and the possibility of Five Eyes malware is absolutely a sunk cost due to QQ's servers being in the USA), and QQ doesn't have native music or videos.

If getting rid of the rest means getting rid of YouTube, the hesitancy is at least colourable, although I think I'd probably still come down on your side.

evildice · Saturday at 2:32 PM

magic9mushroom said:
YouTube's worth it, considered on its own. It's nearly impossible to fully avoid Google's tracking anyway (and the possibility of Five Eyes malware is absolutely a sunk cost due to QQ's servers being in the USA), and QQ doesn't have native music or videos.

If getting rid of the rest means getting rid of YouTube, the hesitancy is at least colourable, although I think I'd probably still come down on your side.

I prefer opening YouTube music in a separate tab anyway, because turning the page on a story or discussion will end the music on the current page.

So for me the URLs are higher functionality and better UX.

NumberSix · Saturday at 4:39 PM

Kinda overreacting here.

It is just an iframe, no different from browsing the TikTok site itself, any JavaScript that gets executed is executed in the usual sandbox the browser provides.

There are lots of security and privacy add-ons that can stop ads and unwanted content, if you hate TikTok that much you can just use something like piHole or open source router firmware and a caching DNS resolver to send all requests to all TikTok domains to a black hole.

evildice said:
I prefer opening YouTube music in a separate tab anyway, because turning the page on a story or discussion will end the music on the current page.

So for me the URLs are higher functionality and better UX.

You can take a look at this

NewPipe - a free YouTube client

newpipe.net

evildice · Saturday at 6:17 PM

NumberSix said:
It is just an iframe, no different from browsing the TikTok site itself, any JavaScript that gets executed is executed in the usual sandbox the browser provides.

I mean, for me that is the big deal -- I don't want any external organization to be able to associate my browser with my QQ posts or thread visits.

Someone embedding any kind of "live" iframe into a QQ thread seems bad.

And if it's just as easy to embed a proxy'd image -- which is just as easy for a lot of sites -- then I'd like QQ to support the image embeds and NOT support the "live" iframe with tracking.

Vanbers · Saturday at 7:37 PM

evildice said:
I mean, for me that is the big deal -- I don't want any external organization to be able to associate my browser with my QQ posts or thread visits.

Someone embedding any kind of "live" iframe into a QQ thread seems bad.

And if it's just as easy to embed a proxy'd image -- which is just as easy for a lot of sites -- then I'd like QQ to support the image embeds and NOT support the "live" iframe with tracking.

Solid agree with this from me tbh.

I hate live embeds because my potato finds them harder to load than, y'know, just the fucking image.

I don't want a whole ass thing loaded onto the page when people link to a twitter image, I just want the image.

Youtube/video players are fine enough, but twitter and tiktok and so on are much more irritating because it's rarely *just* the video, there's all the whole host of other shit, and for tiktok at least their video player is also an unintuitive poorly designed total pile of shit as well.

evildice · Saturday at 8:38 PM

Vanbers said:
Youtube/video players are fine enough, but twitter and tiktok and so on are much more irritating because it's rarely *just* the video, there's all the whole host of other shit, and for tiktok at least their video player is also an unintuitive poorly designed total pile of shit as well.

I've been reading older stories and most of the time the YouTube embed videos are dead.

So YouTube is getting its tracking info without providing any value to any future reader of that thread.

I'd rather they get nothing.

NumberSix · Saturday at 10:10 PM

evildice said:
I mean, for me that is the big deal -- I don't want any external organization to be able to associate my browser with my QQ posts or thread visits.

Someone embedding any kind of "live" iframe into a QQ thread seems bad.

And if it's just as easy to embed a proxy'd image -- which is just as easy for a lot of sites -- then I'd like QQ to support the image embeds and NOT support the "live" iframe with tracking.

The ultimate guide to iframes - LogRocket Blog

This post provides an overview of the iframe tag's best features, shows you how to use them, and how to secure them against vulnerabilities.

blog.logrocket.com

Same-origin policy - Security on the web | MDN

The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin.

developer.mozilla.org

evildice · Saturday at 10:18 PM

NumberSix said:
The ultimate guide to iframes - LogRocket Blog

This post provides an overview of the iframe tag's best features, shows you how to use them, and how to secure them against vulnerabilities.

blog.logrocket.com

Same-origin policy - Security on the web | MDN

The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin.

developer.mozilla.org

That looks like technical documentation for iframes.

If you think that refutes anything I've said, then I have to wonder if you've read what you just linked.

NumberSix · Saturday at 10:52 PM

evildice said:
That looks like technical documentation for iframes.

If you think that refutes anything I've said, then I have to wonder if you've read what you just linked.

They are limited to what they can touch, dom, existing cookiesy etc, by the way the same origin policy and the iframe implementation in the various standard works.
They can not tell who you are on here, normally they shouldn't even be able to send a referrer.

Worst thing they can do is set tracking cookies, but you can disable that from your browser, maybe they can run some fingerprinting code, and there are protections for that, but again, fingerprinting is not 100% reliable, and some browsers like brave have implemented randomization of fingerprintable data.

Also, nothing stops you from using multiple browsers, like for instance you have one for all thr saucy content and another for all your "clean" browsing. I do it by using Chrome for work and very vanilla crap like checking the weater, Brave for outright porn and the like, and LibreWolf for everything else.You can do fun stuff with your broeser's about:config or equivalent as well.
And as I mentioned, you can black hole advertiser/data mining company domains via DNS.

And VPNs and Tor are a thing as well, also you are most likely behind your Telco or ISP's NAT, too.

IMHO at some point they hit diminishing returns and few people are important enough for them to even care.

evildice · Sunday at 12:28 AM

NumberSix said:
They are limited to what they can touch, dom, existing cookiesy etc, by the way the same origin policy and the iframe implementation in the various standard works.
They can not tell who you are on here, normally they shouldn't even be able to send a referrer.

Referrer being there or not depends on the referrerpolicy set by the parent. Which policy does QQ's software use?

Your Link said:
The server can use the partial or full URL sent in the Referer header to identify the page requesting the resource for analytics and resource optimization.

On the other hand, the Referer header makes it easy to accidentally leak sensitive data such as passwords and usernames. If you load a third-party iframe in a page that contains sensitive data in the URL without proper referrer policy settings, you may accidentally expose private data.

Also Your Link said:
If you don't securely configure your referrer policy, you may accidentally leak sensitive information. Among other measures, it's recommended you avoid using iframes from third parties on pages that contain login and payment forms. You can also set the referrer policy to no-referrer or other more secure options.

So that's actually WORSE than I had thought before reading your links.

NumberSix said:
Worst thing they can do is set tracking cookies, but you can disable that from your browser, maybe they can run some fingerprinting code, and there are protections for that, but again, fingerprinting is not 100% reliable, and some browsers like brave have implemented randomization of fingerprintable data.

Worst thing they can do is run exploits that do fucky things to browsers, or install malware. Those require bugs in the browser which are exploitable, but we know ad servers try that sort of thing routinely, so it's not exactly uncommon.

Second worst thing they could do is somehow exploit a server leak to get login info, thanks for the documentation which makes the risk clear, you'd know about it if you'd read your own links.

Third worst thing they could do is use non-cookie tracking like what Bloomberg uses to figure out how many articles you've read -- purging cookies will not prevent that fingerprinting.

Fourth worst thing they could do is set a tracking cookie, which is the thing I came in here to complain that I don't want.

NumberSix said:
Also, nothing stops you from using multiple browsers, like for instance you have one for all thr saucy content and another for all your "clean" browsing. I do it by using Chrome for work and very vanilla crap like checking the weater, Brave for outright porn and the like, and LibreWolf for everything else.You can do fun stuff with your broeser's about:config or equivalent as well.
And as I mentioned, you can black hole advertiser/data mining company domains via DNS.

I do all that stuff (except no Brave, they lost trust with the bitcoin shenanigans). And that's exactly why I want the URLs instead of the media embeds -- I can send the URLs to other browsers on other devices. I can cleanly manage the split between porn and public. It's easy and secure.

NumberSix said:
And VPNs and Tor are a thing as well, also you are most likely behind your Telco or ISP's NAT, too.

Yes yes, I use those, and YouTube blocks me when I'm using a VPN which I always do for my private & porn devices. So for me with a VPN and tracking-blockers, YouTube embeds are worthless, and YouTube links are useful.

Therefore I want to remove the useless embeds and replace them with either proxy-happy images or links that I can send to other devices.

NumberSix said:
IMHO at some point they hit diminishing returns and few people are important enough for them to even care.

You only hit diminishing returns when the tech fights you and you have to do more work to get more value.

But tech can be configured to help you get more value with less work.

That's what I want it to do in this case.

Vajra · Sunday at 4:21 AM

alethiophile said:
(This is more complicated on mobile, but should still be possible with the right DNS shenanigans.)

Kiwi Browser is a Chromium-based mobile browser that supports desktop extensions.

NumberSix · Sunday at 8:48 AM

evildice said:
Referrer being there or not depends on the referrerpolicy set by the parent. Which policy does QQ's software use?

So that's actually WORSE than I had thought before reading your links.

Worst thing they can do is run exploits that do fucky things to browsers, or install malware. Those require bugs in the browser which are exploitable, but we know ad servers try that sort of thing routinely, so it's not exactly uncommon.

Second worst thing they could do is somehow exploit a server leak to get login info, thanks for the documentation which makes the risk clear, you'd know about it if you'd read your own links.

Third worst thing they could do is use non-cookie tracking like what Bloomberg uses to figure out how many articles you've read -- purging cookies will not prevent that fingerprinting.

Fourth worst thing they could do is set a tracking cookie, which is the thing I came in here to complain that I don't want.

I do all that stuff (except no Brave, they lost trust with the bitcoin shenanigans). And that's exactly why I want the URLs instead of the media embeds -- I can send the URLs to other browsers on other devices. I can cleanly manage the split between porn and public. It's easy and secure.

Yes yes, I use those, and YouTube blocks me when I'm using a VPN which I always do for my private & porn devices. So for me with a VPN and tracking-blockers, YouTube embeds are worthless, and YouTube links are useful.

Therefore I want to remove the useless embeds and replace them with either proxy-happy images or links that I can send to other devices.

You only hit diminishing returns when the tech fights you and you have to do more work to get more value.

But tech can be configured to help you get more value with less work.

That's what I want it to do in this case.

No, by diminishing returns I mean that whoever is trying to track you will likely not care for edge cases like you implementing all or some of those simple security measures we discussed.
Are there ways to gather and correlate lots of seemingly unrelated data to potentially identify and track people who do not want to be tracked - yes?
Are they automated and of the lowest common denominator variety - pretty certain.
Most of that data is likely never seen by a flesh and blood human, and just wastes space.

The only thing that should be of any relevance here is the referrer policy and asking QQ staff to see if they can make sure that and same origin are as tight as possible.

You can potentially get hit by browser security problems in many ways and it is up to you to make sure you keep that stuff up to date.

Also, I kinda doubt that China or Russia or the 5E would waste something like a zero day exploit bad enough to install malware via browser as part of a way to track a few randos on a site like this.

I think some people are blowing this out of proportion and should calm down.

I am guessing you also run Linux with noexec and the like in the mount options for your home and /tmp, no?

evildice · Sunday at 12:34 PM

NumberSix said:
The only thing that should be of any relevance here is the referrer policy and asking QQ staff to see if they can make sure that and same origin are as tight as possible.

Also the allow and sandbox policies, which are separate from the referrer policy.

You didn't read even one word of the stuff you linked?

NumberSix said:
You can potentially get hit by browser security problems in many ways and it is up to you to make sure you keep that stuff up to date.

Correct, but irrelevant, and those updates are nicely automated for everyone.

NumberSix said:
Also, I kinda doubt that China or Russia or the 5E would waste something like a zero day exploit bad enough to install malware via browser as part of a way to track a few randos on a site like this.

That's someone else's pet issue. Mine is that I don't want Twitter or other social media sites able to track us on QQ.

NumberSix said:
I think some people are blowing this out of proportion and should calm down.

I think you should try to remember which posters are which, and you should try to actually read the stuff you hold up as references.

NumberSix · Sunday at 12:55 PM

evildice said:
Also the allow and sandbox policies, which are separate from the referrer policy.

You didn't read even one word of the stuff you linked?

I frankly didn't care about frontend stuff that much, if you dislike any of the parent doc policies and other relevant settings and see them as sus you can probably ask the staff here to see to changing them.

evildice said:
Correct, but irrelevant, and those updates are nicely automated for everyone.

Depends on the OS, and even if it was an option I personally am not going to let any browser do any sort of package management.
I don't even have the play store and Google's crap enabled on a bunch of my android devices.

evildice said:
That's someone else's pet issue. Mine is that I don't want Twitter or other social media sites able to track us on QQ.

And that is way I have twitter, Facebook and blocked via DNS.
But sadly lots of people like it and there are lots of artists that post their stuff over there.
Blocking these social media sites globally here won't be something a large portion of the user base will like.

evildice said:
I think you should try to remember which posters are which, and you should try to actually read the stuff you hold up as references.

As I told you, I am not particularly interested in frontend stuff, I do not plan to memorize every security feature and capability, and I think you are blowing sll this s bit out of proportion.

evildice · Sunday at 1:38 PM

NumberSix said:
I frankly didn't care about frontend stuff that much, if you dislike any of the parent doc policies and other relevant settings and see them as sus you can probably ask the staff here to see to changing them.

Yep that's why I'm here, to ask them to turn off the embed in the parent doc.

NumberSix said:
Blocking these social media sites globally here won't be something a large portion of the user base will like.

Blocking them in DNS is a separate concern from live-embedding their sites into a QQ page. I'm happy with QQ's own image-proxy service serving me content from those sites (which requires loading that content into the image-proxy and thus not having the DNS blackhole'd). And links into those sites are fine, since I can open those links where and how I want. It's just the live emebeds which seem bad.

NumberSix said:
As I told you, I am not particularly interested in frontend stuff, I do not plan to memorize every security feature and capability, and I think you are blowing sll this s bit out of proportion.

Linking documentation without comment is considered a bit rude -- the canonical example is dropping a Wikipedia link -- but then your own documentation proved you to be almost totally ignorant of the subject area, and your assertions of safety were directly and specifically contradicted by your own documentation.

Also you keep mixing me up with another poster.

At this point you've been rude, and your rudeness has exposed your total ignorance of the subject area, and therefore it feels like fair play to mock your dumb mistakes until you go away and let the grown-ups talk in peace.

I don't really care if you think that my reaction is too much -- "hey let's not embed non-functional frames which allow tracking & maybe worse" seems pretty reasonable, especially when these frames regularly become non-functional (twitter posts getting deleted or removed, youtube videos becoming unavailable or being removed, etc.) -- and I think it's both easy and worthwhile to make the change to NOT embed those frames.

NumberSix · Sunday at 2:41 PM

evildice said:
Yep that's why I'm here, to ask them to turn off the embed in the parent doc.

As I said, a bunch of people might be unhappy if you break their video and post embeds.

Frankly, the less effort I need to put in to see content the better.
I have gotten lazy and I come here forme retainment.

evildice said:
Blocking them in DNS is a separate concern from live-embedding their sites into a QQ page. I'm happy with QQ's own image-proxy service serving me content from those sites (which requires loading that content into the image-proxy and thus not having the DNS blackhole'd). And links into those sites are fine, since I can open those links where and how I want. It's just the live emebeds which seem bad.

Huh, does that thing work on the client side and does it cache content, why would I need to keep the domains accessible if some proxy service runs on here fetched them and caches them?

evildice said:
Linking documentation without comment is considered a bit rude -- the canonical example is dropping a Wikipedia link -- but then your own documentation proved you to be almost totally ignorant of the subject area, and your assertions of safety were directly and specifically contradicted by your own documentation.

It felt like you were omitting stuff and that you didn't know what you were talking about, and there was your holier than thou tone, so I decided to RTFM you and give the other participants a chance to familiarize themselves with the specifics, no offense.

evildice said:
Also you keep mixing me up with another poster.

My last 2-3 messages were targeted at you.

evildice said:
At this point you've been rude, and your rudeness has exposed your total ignorance of the subject area, and therefore it feels like fair play to mock your dumb mistakes until you go away and let the grown-ups talk in peace.

Eh, pot meet kettle.
I know enough about this stuff to participate in a discussion.
From my point of view, frontend is crap and most frontend devs, but not all, I've had to deal with, were massive assholes, prima donnas, and quite inept.
The tech stack utilized for front end is also utter crap.

evildice said:
I don't really care if you think that my reaction is too much -- "hey let's not embed non-functional frames which allow tracking & maybe worse" seems pretty reasonable, especially when these frames regularly become non-functional (twitter posts getting deleted or removed, youtube videos becoming unavailable or being removed, etc.) -- and I think it's both easy and worthwhile to make the change to NOT embed those frames.

Ok, can you be a bit less pushy and sanctimonious about it?

You catch more bees with honey than with a stick and all that.

For what it is worth, I apologize if I let my autistic tendencies got the better of me.

Also, this thread started when magic9musnroom requested blocking TikTok.

Security of TikTok embeds

BEST END.

agamemnon hater

Directed by Dick Wolf

BEST END.

Directed by Dick Wolf

BEST END.

Shadowed Philosopher

Connoisseur.

Directed by Dick Wolf

BEST END.

Empty with a grain of salt

Shadowed Philosopher

Directed by Dick Wolf

(emotionally stable clown posse)

BEST END.

(emotionally stable clown posse)

I trust you know where the happy button is?

(emotionally stable clown posse)

Well worn.

(emotionally stable clown posse)

I trust you know where the happy button is?

(emotionally stable clown posse)

I trust you know where the happy button is?

(emotionally stable clown posse)

I trust you know where the happy button is?

I trust you know where the happy button is?

(emotionally stable clown posse)

I trust you know where the happy button is?

(emotionally stable clown posse)

I trust you know where the happy button is?

Users who are viewing this thread