andypiper 2 days ago

oh, neat, I knew about tut and toot (two other TUI apps), but not this one - I'll have to add it to the community section of our next engineering blog post.

Reply View 1 reply
  • pabs3 a day ago

    Those look like they require an account to use. zygolophodon is different, it is a read-only client for use without an account. It uses the same APIs used by the JavaScript based client that instances serve to visitors.

    Reply View 0 replies
esperent 4 days ago

> I'm working on adding a WebExtension that would let you use it in the browser.

Doesn't that just move the JS from the browser into the extension? What's the benefit?

Reply View 5 replies
  • pabs3 4 days ago

    There is just a small JS shim from the extension to the Python code, but yes.

    The benefit is that you don't need to enable arbitrary code execution in your browser. A variety of benefits flow from that; static pages, almost no advertising, fewer working paywalls, smaller attack surface etc.

    Reply View 4 replies
    • esperent 4 days ago

      > static pages

      I'm not sure I agree that it's a static page if there's a web extension running JS involved in the page render. I guess it's a grey area.

      > almost no advertising, fewer working paywalls

      We're talking about Mastodon, right? I thought it would not have those.

      > smaller attack surface

      This one I'll give you, but what kind of attacks would you expect from a Mastodon instance?

      If all of this is a big enough issue to make you disable JS in the browser, wouldn't it be reasonable to whitelist Mastodon instances that you use?

      Reply View 3 replies
      • pabs3 3 days ago

        I was mostly speaking to the general advantages of not enabling JS.

        > static pages

        As in it won't change after you load the page.

        > almost no advertising, fewer working paywalls

        Indeed, haven't seen these with mastodon instances, but you never know when that will start happening.

        > smaller attack surface

        The instance could have been hacked, or you could have angered the admin, or you could have angered some other user who knows of a vulnerability they could leverage to send you custom JS.

        The JavaScript sent by Mastodon is obfuscated, so it isn't reasonable to expect to be able to audit it and mark it as safe. You could YOLO and allowlist an JS from trusted instances of course, but that opens you up to the scenarios above.

        Reply View 2 replies