As a technical test, I'm going to be changing the server settings for the accounts @FediFollows, @FediVideo, @FediGarden and @homegrown. It should take effect in the next few days.
Don't worry, you don't have to do anything and you probably won't notice anything. However, if you encounter any problems such as broken follows etc please get in touch with me via this account or my personal account at @FediThing.
(For technical people, I'm going to try activating the "authorized fetch" feature.)
p.s. The switch hasn't actually been thrown yet, if anyone has good reasons not to please let me know ASAP. I've tried to read as much info as possible, and asked for advice in an earlier more low-key post. Asking again now in case something else was missed in previous thread.
p.p.s. Okay, it's switched on now. As I said before, if you have any problems with my other accounts let me know :)
@feditips I'm only aware of one reason not to, which is that it prevents people from browsing your profile for a vibe check or similar. But it's entirely your choice whether to care about that or not.
I'm not sure if that's the case though? There are people on the Mastodon github complaining that people who aren't logged on have too much access to public threads even with secure mode switched on:
https://github.com/mastodon/mastodon/issues/20930
This is partly why I'm doing the test, there's some contradiction in how this is documented/perceived.
@feditips
Update: Oh wait, it seems like Mastodon might have split that into a second option. You also have to set DISALLOW_UNAUTHENTICATED_API_ACCESS
to true
to get the full security benefit.
Original message:
if that thread is correct, then Mastodon's implementation of Authorized Fetch is broken. When it's working, attempting to access anything through a web browser should return a 403 / similar error unless you log in. That's also how it works on Pleroma and Misskey.
As far as I can tell, it does that if you're logged in on a blocked server but not if you're logged out?
The threads seem to say there's no way to stop scraping of public posts, but at least it would force people to scrape instead of viewing easily?
@feditips It seems like Mastodon may have split AUTHORIZED_FETCH
into two separate toggles. To prevent scraping / public web access you have to also enable DISALLOW_UNAUTHENTICATED_API_ACCESS
. With that disabled, the web interface will still work (but you lose most of the privacy benefits of AUTHORIZED_FETCH
.
Ahh... that perhaps explains the apparent contradictions. Thanks!
@feditips Corner case: If your instance has a cached toot (of inaccessible origin) that I want to bring over to my own instance, I would do a search (for a user, hashtag, etc) on your website (not logged in), then search the found url on my instance.
Did that today to fetch a cached copy of a WordPress post on another Mastodon. The origin site's WP plugin offers no way to discover ActivityPub ids (no public feed, article permalinks aren't masto-searchable, no id on the articles themselves).
@feditips * If I didn't search, instead typing mastohost/@user@originhost directly into the browser, I'd get redirected to the origin server without showing your cached urls (taking me to the unfederable blog page instead, in this example).
@feditips things seem to be in order!
@feditips did you run into problems with this?
@feditips @FediFollows @FediVideo @FediGarden @homegrown @FediThing there’s a Mean Girls quote on point