Why do we still have the Twitter one box enabled while it's still performing DoS attacks?
-
This is such a fucking Mickey Mouse operation. Ignoring the hundreds of WTF and shitty lazy developers who are pieces of ass that makes us all look bad that was involved in getting this bug in the first place, why the fuck do we still have this BROKEN SHIT TURNED ON!?
Until it works: TURN IT THE FUCK OFF. OFF. NOW.
-
@blakeyrat what are you talking about?
-
@blakeyrat has anyone who's allegedly being DoS'd by the onebox actually complained about it?
I'm not saying it's not flawed, but you seem to think it's a TOP PRIORITY FIX IT NOW bug, and I'm not sure it's that big.
-
@bb36e said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
@blakeyrat what are you talking about?
Yes, what is the bug? This is the first I'm hearing about it.
-
@bb36e said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
what are you talking about?
Ok; but if you repro it you'll likely get cut off from a site for flooding.
Just open a editor, paste in a Twitter link first, and start typing. Several times a second, NodeBB will do a full refresh of the preview pane, including calling-out to Twitter for the one box content. Meaning: while you're typing your post, you're also spamming Twitter (and probably other one box site victims) with requests like a jackass.
Even better: if you're in "mobile mode", this still happens, it just doesn't show on screen because the preview pane is hidden. So you don't even get the flickering to see that it's happening.
This was actually fixed for YouTube, but it's broken for Twitter and possibly other sites.
This is also a repeat of the EXACT SAME BUG in Discourse that we also had to get THOSE joker clowns to fix. But because nobody in software learns anything from anybody else, ever, the bug will just repeat again and again until the end of time, apparently.
And again: it INFURIATES me that this broken shit was ever released to the public. How fucking INCOMPETENT do you have to be to check the "good enough" box on a plugin that makes people ACCIDENTALLY perform denial-of-service attacks on their favorite websites?! HOW FUCKING INCOMPETENT!
-
@anotherusername said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
has anyone who's allegedly being DoS'd by the onebox actually complained about it?
That's not the fucking point.
Homeless Bob stabbed a stay dog in the face with an ice pick. Has anybody complained? No? Ok, well, it's perfectly ok and hunky-dory for Homeless Bob to keep on skewering dog brains! Nobody complained! THEREFORE IT'S ALRIGHT! THAT IS HOW ETHICS WORKS!!!!
-
@blakeyrat said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
Until it works: TURN IT THE FUCK OFF. OFF. NOW.
If you are an admin, do it yourself. If you are not, which you aren't, then you don't get to make such demands.
Or, I guess more properly, you can make the demand and they can ignore you.
-
You know Twitter. They're a small mom-and-pop operation with a single underpowered server and not much bandwidth, so a single user (let alone a few dozen users) could bring them down by sending a few dozen requests.
Filed under: I'm more concerned about this chewing through my cell phone data plan; but I don't use the Twatter.
-
@error said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
You know Twitter. They're a small mom-and-pop operation with a single underpowered server and not much bandwidth, so a single user (let alone a few dozen users) could bring them down by sending a few dozen requests.
Jesus Christ, that's irrelevant. STOP.
It doesn't matter whether Twitter can handle the requests or not. What matters is our forum is SPEWING GARBAGE ALL OVER. It's EMBARRASSING.
-
@blakeyrat no, what's irrelevant is stabbing puppies with ice picks.
-
@anotherusername said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
@blakeyrat no, what's irrelevant is stabbing puppies with ice picks.
You do that, too?
I mean, um. You monster.
-
Who's actually in charge of the onebox plugin? Is it NodeBB devs? I have an idea for how they could probably fix it. But I don't want to be saddled with the responsibility.
-
@anotherusername well, didn't it get fixed for YouTube (for some value of fixed)?
Why not Twitter?
-
@anotherusername said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
no, what's irrelevant is stabbing puppies with ice picks.
The point is things are inherently right or wrong. It doesn't matter if you get caught.
Engaging in an denial-of-service attack is wrong. Even if you're doing it by accident. Whether or not Twitter cares enough to do anything is besides the point.
There is ethics in software, and this is a clear violation.
-
@Arantor said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
well, didn't it get fixed for YouTube (for some value of fixed)?
Why not Twitter?I believe because they're two different plug-ins, and YouTube only got fixed because Boomzilla did it himself.
Fixed or not, I don't care. If it's fixed, it can remain on. But as long as it's doing this awful behavior, we shouldn't have it enabled. Community Server never had oneboxes and somehow we survived those dark times. (Even with YouTube, the one that kind of works: since the movie breaks whenever someone edits a post or if you scroll too far, IMO, we'd still be better off with plain links.)
-
@Arantor said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
@anotherusername well, didn't it get fixed for YouTube (for some value of fixed)?
Why not Twitter?
If it gets fixed for YouTube and Twitter, why not have it fixed for all links?
-
@anotherusername said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
If it gets fixed for YouTube and Twitter, why not have it fixed for all links?
WHY NOT INDEED!
-
@bb36e said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
@blakeyrat what are you talking about?
Denial of Service doesn't have to actually deny any service, as far as he's concerned.
-
@boomzilla An attack doesn't have to succeed to be an attack.
-
@anotherusername That was the next step. If it can be fixed for more than one special case it can be fixed for a general case. But need to get through some denial-of-problem protocol issues first.
-
Instead of disabling every single iframely-supporting website as they're discovered and installing a plugin that @boomzilla has to maintain because the original author vanished, let's file a ticket and get it fixed in the iframely plugin.
-
@blakeyrat It's about ethics in game journalism! Chokestrangledie
(FWIW, I agree. Also, oneboxing in general is really fucking dumb and should die. Allowing users to inject arbitrary content is a fucking nono)
-
My idea is basically, have the plugin cache oneboxes by URL for the duration of the edit session. Something like:
// when the user opens the editor... var oneboxCache = {}; // to insert a onebox in the preview... // *** assume there's a placeholder element called placeholder *** if (url in oneboxCache) { placeholder.parentElement.replaceChild(oneboxCache[url], placeholder); } else { // let's assume this function does the needful and then calls our callback loadOnebox(url).then(function (innerHTML) { placeholder.innerHTML = innerHTML; oneboxCache[url] = placeholder; }); }
edit: I don't think
cloneNode
is necessary, and it might make the browser try to reload iframes. A reference to the node should work... when it's removed from the preview pane to rebuild the preview, there will still be a reference to the node insideoneboxCache
, and it can be reinserted in the preview.
-
@Weng I'm not actually against oneboxing as a general concept. I remember pitching the idea back in 2010 or so though the reaction wasn't 'OMG NO', it was more 'how would this be useful' and I think it's actually useful to have some safe, sane preset onebox defaults, e.g. Wikipedia, YouTube.
Not sure Twitter is on that list.
-
@error said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
You know Twitter. They're a small mom-and-pop operation with a single underpowered server and not much bandwidth, so a single user (let alone a few dozen users) could bring them down by sending a few dozen requests.
Filed under: I'm more concerned about this chewing through my cell phone data plan; but I don't use the Twatter.
Wait wait wait-- isn't the Twitter Onebox a CLIENT-SIDE request?
So every time it tries to OneBox in the preview, it's actually launching a full request on my behalf?
So it isn't TDWTF doing a DOS, but it's my machine?
Meaning that if there's any sort of bandwidth, usage caps, or angry sysadmin... then I WILL BE THE ONE WHO WILL BE BANNED?
Fucking hell.
-
@Lorne-Kates as they say, you are TR here ;)
-
@Arantor for trusted sites, yeah. Across the board? NOOOO.
-
@error said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
with a
singleunderpowered server and not much bandwidthThat part is true though.
-
@Arantor said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
@Weng I'm not actually against oneboxing as a general concept. I remember pitching the idea back in 2010 or so though the reaction wasn't 'OMG NO', it was more 'how would this be useful' and I think it's actually useful to have some safe, sane preset onebox defaults, e.g. Wikipedia, YouTube.
Not sure Twitter is on that list.
I'm pretty sure I said exactly that the very first time Dickhorse was mentioned. of course I can't search for that post because SOFTWARE!
But it was along the lines of "Great, so we can DoS other sites, and pull in arbitrary, third party data. Let's hope no one ever oneboxes something that shows up as "safe", is then ignored, and then later edited to be "unsafe""...
-
@anotherusername The question is why doesn't the browser cache the content. Does twitter send do-not-cache headers? Why would they even do that if tweets can't be edited?
-
@anonymous234 said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
@anotherusername The question is why doesn't the browser cache the content.
:effort:
-
@anonymous234 said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
@anotherusername The question is why doesn't the browser cache the content. Does twitter send do-not-cache headers? Why would they even do that if tweets can't be edited?
It'll at least check to see if it's been updated, which requires a round-trip to Twitter's server.
-
@blakeyrat said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
THAT IS HOW ETHICS WORKS!!!!
Thanks for the clarification.
-
@blakeyrat said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
It's EMBARRASSING
Especially when you find out the plugin's user agent is @blakeyrat/1.0.
-
@anotherusername said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
If it gets fixed for YouTube and Twitter, why not have it fixed for all links?
You just got told: two plugins, apparently. If it gets fixed I the onebox plugin, it'll be fixed everywhere else.
-
@ben_lubar said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
Instead of disabling every single iframely-supporting website as they're discovered and installing a plugin that @boomzilla has to maintain because the original author vanished, let's file a ticket and get it fixed in the iframely plugin.
Excellent idea. Just out of curiosity, and not to get all @blakeyrat on you, why didn't that get done when the issue was first noticed? (That is, if it didn't. If it was already reported, carry on.)
-
@Lorne-Kates said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
Meaning that if there's any sort of bandwidth, usage caps, or angry sysadmin... then I WILL BE THE ONE WHO WILL BE BANNED?
Lorne and Blakey angry about the same thing? https://www.youtube.com/watch?v=WfVcvyxLj-s&t=22
-
@FrostCat said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
@Lorne-Kates said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
Meaning that if there's any sort of bandwidth, usage caps, or angry sysadmin... then I WILL BE THE ONE WHO WILL BE BANNED?
Lorne and Blakey angry about the same thing? https://www.youtube.com/watch?v=WfVcvyxLj-s&t=22
I've said it before and I'll say it again. When both myself and Blakey agree that something is bad, then whoever made that gone done fucked up REAL bad.
-
@Lorne-Kates said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
When both myself and Blakey agree that something is bad, then whoever made that gone done fucked up REAL bad.
... or you are both insane and/or just wrong.
I mean, that's not the case here, but it could be.
-
@FrostCat said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
Excellent idea. Just out of curiosity, and not to get all @blakeyrat on you, why didn't that get done when the issue was first noticed? (That is, if it didn't. If it was already reported, carry on.)
I've never been able to decide if it's the fault of the plugin or the preview. Plus the angrier blakey gets the less motivated I am.
-
@boomzilla does the sample code I posted above look like it might be a workable strategy?
-
@FrostCat said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
@Lorne-Kates said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
When both myself and Blakey agree that something is bad, then whoever made that gone done fucked up REAL bad.
... or you are both insane and/or just wrong.
I mean, that's not the case here, but it could be.
It's more likely that one of us is insane and/or wrong.
Or we'd disagree, and both be insane/wrong about different things.
When we're on the same page-- that's when ouch happens.
-
@anotherusername I don't know, but I kind of doubt it. I'm not sure where that's supposed to be happening, for one, and I've never taken a look at the way the preview works. The iframely plugin does cache the stuff that it returns, so the server isn't spamming requests no matter what the user is doing. I think that the preview just gets updated with new stuff as you write your post. So every time it's updated, your browser fetches whatever is in the markup. I have no idea why it doesn't cache any of that stuff.
I suggested at some point in the past that we could "just" turn off the hook for iframely to do stuff in the preview pane. That's heavy handed, but simple. It requires editing the
plugin.json
file for the plugin, so we'd need to fork the plugin and then keep it up to date (though I don't think it changes very often).Other strategies might be to do something different in the preview than in the main post. The youtube plugin does this. It shows a smaller image and doesn't render the play button. To do something like this with iframely would be more complicated, since you can get all sorts of different things for different web sites as opposed to showing an embedded video.
-
@boomzilla said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
every time it's updated, your browser fetches whatever is in the markup. I have no idea why it doesn't cache any of that stuff.
Because the contents of the preview is being completely rebuilt. It doesn't figure out "oh, the user entered
a
, that should go at the end of this TextNode, I'll just modify that". It dumps the whole thing and rebuilds it from scratch. Since it's all "new" from the browser's perspective, it has to re-fetch everything, or at least check to see if the cached version is current.That's why my idea was to create a reference to the onebox element, so it won't get destroyed when it's removed, and then reinsert it if it's still required. The drawback is that every onebox that is generated for the post has to remain in memory until whenever the script dumps its cache (which should probably happen on submit/discard, or perhaps when the editor is minimized).
-
@ben_lubar said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
let's file a ticket and get it fixed in the iframely plugin.
Again: that's fine; but in the meantime, we should disable it. Because until it gets fixed, our forum has the horrible demented awful behavior.
-
@anotherusername said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
That's why my idea was to create a reference to the onebox element, so it won't properly get unloaded when it's removed, and then reinsert it if it's still required.
Ah, yes, I've had similar thoughts. I just have never looked into how the preview actually works, so I don't know how plausible this is.
-
@anonymous234 said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
The question is why doesn't the browser cache the content.
Browsers aren't and never have been required to keep a cache, that's still not a fix to the bug.
-
@boomzilla said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
@anotherusername said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
That's why my idea was to create a reference to the onebox element, so it won't properly get unloaded when it's removed, and then reinsert it if it's still required.
Ah, yes, I've had similar thoughts. I just have never looked into how the preview actually works, so I don't know how plausible this is.
@julianlam said in Composer preview should not include scripts, media, or iframes:
Just an idle thought, but one wonders if you could selectively change text nodes based on a diff of the old and new raw input...
-
@boomzilla I admit to not having paid too close attention before, but have we not contacted the iframely people, or are have they gone dark and aren't responding to bug reports, or is it something else?
-
@blakeyrat said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
@anonymous234 said in Why do we still have the Twitter one box enabled while it's still performing DoS attacks?:
The question is why doesn't the browser cache the content.
Browsers aren't and never have been required to keep a cache, that's still not a fix to the bug.
IOW, you don't know either. Geez, why did you even post that?