Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

coffee_chum

@coffee_chum@lemmy.ml

This profile is from a federated server and may be incomplete. Browse more on the original instance.

Phone home tracking image in DocuSeal, and how to remove it (www.reddit.com)

Kinda proud of this, so forgive me while I brag. I found a likely "phone home" tracking image in DocuSeal. I searched around: there was an extant issue about the image. I asked the devs: would they accept a PR to remove the image? A maintainer responded quickly that they were not interested in a PR to remove it, so I forked it...

coffee_chum ,

Just to play devils advocate for a minute-
Loading from their own domain means they can actually garner quite a bit of information from just the serving of the svg:

  • date and time of access
  • IP (country, state, region, etc)
  • Potential for SVG xss attack if hoster doesn't clamp down their CSP settings

Date/time/IP are good enough for getting pretty good estimates of who all uses their software. Doesn't matter if they are or aren't using that data- it is being sent to them on their own accord and terms. The public has no way of knowing.

And this is all perfectly acceptable, as long as you do one of the following:

  • Prominent notice to user that tracking is enabled by default, and it can be disabled by doing X, Y, or Z. State the kind of tracking information collected and maybe even say logs are kept in memory or dumped after X days.
  • Allow for opt-in tracking. This one's pretty straightforward.

All of this doesn't really matter if the dev isn't willing to change anything about the remote image.

But a fork?? Yeah, totally unnecessary. You can take easily care of this at the reverse proxy layer by preventing the svg (or anything else for that matter) from being served. Just serve a 404 or something instead or do a regex replace and remove it altogether from the page prior to serving.

coffee_chum ,

That's.. not how that works. Just because they're getting separate IP addresses doesn't mean you can all of the sudden have "full control" and start using privileged ports without granting that sys capability to docker. I fear you are overcomplicating what should be a fairly straightforward process and likely weakening security because you don't fully grok the implications of the security measures you're attempting to put in place. Just use traefik or caddy and be done with it.

question about self hosting SSO for multiple domains and services.

Hello, everyone. I am planning to set up Single Sign-On (SSO). I wonder if I can use something like Red Hat SSO with two separate domains. I have one domain for Windows AD and one for Linux IDM. My idea is to use Red Hat SSO so that both domains will be able to access the same services. For example, I have one Nextcloud...

coffee_chum ,

This is typically the case. Increasingly, self-hosted apps use integrated OIDC or OAuth but for those that don't there are various other methods of integration into the SSO provider you're using including forward auth and remote username. Authentik is nice in that it is also a forward-auth proxy and so you don't need to use an additional oauth proxy software like oauth2-proxy.

coffee_chum ,

This is the way. I just hope they don't start gatekeeping essential features behind the "enterprise" license. Already they have announced push-based 2fa (like Duo) will be enterprise which is a bit of a bummer but it's honestly awesome software otherwise and beggars can't be choosers!

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • incremental_games
  • meta
  • All magazines
    •