mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

18K
active users

FediTips has moved!

As a technical test, I'm going to be changing the server settings for the accounts @FediFollows, @FediVideo, @FediGarden and @homegrown. It should take effect in the next few days.

Don't worry, you don't have to do anything and you probably won't notice anything. However, if you encounter any problems such as broken follows etc please get in touch with me via this account or my personal account at @FediThing.

(For technical people, I'm going to try activating the "authorized fetch" feature.)

p.s. The switch hasn't actually been thrown yet, if anyone has good reasons not to please let me know ASAP. I've tried to read as much info as possible, and asked for advice in an earlier more low-key post. Asking again now in case something else was missed in previous thread.

p.p.s. Okay, it's switched on now. As I said before, if you have any problems with my other accounts let me know :)

@feditips I'm only aware of one reason not to, which is that it prevents people from browsing your profile for a vibe check or similar. But it's entirely your choice whether to care about that or not.

@hazel

I'm not sure if that's the case though? There are people on the Mastodon github complaining that people who aren't logged on have too much access to public threads even with secure mode switched on:

github.com/mastodon/mastodon/i

This is partly why I'm doing the test, there's some contradiction in how this is documented/perceived.

GitHubRemove search from about page · Issue #20930 · mastodon/mastodonBy ryliejamesthomas

@feditips
Update: Oh wait, it seems like Mastodon might have split that into a second option. You also have to set DISALLOW_UNAUTHENTICATED_API_ACCESS to true to get the full security benefit.

Original message:
if that thread is correct, then Mastodon's implementation of Authorized Fetch is broken. When it's working, attempting to access anything through a web browser should return a 403 / similar error unless you log in. That's also how it works on Pleroma and Misskey.

@hazel

As far as I can tell, it does that if you're logged in on a blocked server but not if you're logged out?

The threads seem to say there's no way to stop scraping of public posts, but at least it would force people to scrape instead of viewing easily?

@feditips It seems like Mastodon may have split AUTHORIZED_FETCH into two separate toggles. To prevent scraping / public web access you have to also enable DISALLOW_UNAUTHENTICATED_API_ACCESS. With that disabled, the web interface will still work (but you lose most of the privacy benefits of AUTHORIZED_FETCH.

@hazel

Ahh... that perhaps explains the apparent contradictions. Thanks!

@feditips Corner case: If your instance has a cached toot (of inaccessible origin) that I want to bring over to my own instance, I would do a search (for a user, hashtag, etc) on your website (not logged in), then search the found url on my instance.

Did that today to fetch a cached copy of a WordPress post on another Mastodon. The origin site's WP plugin offers no way to discover ActivityPub ids (no public feed, article permalinks aren't masto-searchable, no id on the articles themselves).

@feditips * If I didn't search, instead typing mastohost/@user@originhost directly into the browser, I'd get redirected to the origin server without showing your cached urls (taking me to the unfederable blog page instead, in this example).