←back to thread

Google flags Immich sites as dangerous

(immich.app)
1005 points janpio | 1 comments | 22 Oct 25 20:53 UTC | HN request time: 0.2s | source
Show context
arccy ◴[22 Oct 25 23:30 UTC] No.45676475[source]
If you're going to host user content on subdomains, then you should probably have your site on the Public Suffix List https://publicsuffix.org/list/ . That should eventually make its way into various services so they know that a tainted subdomain doesn't taint the entire site....
replies(16): >>45676781 #>>45676818 #>>45677023 #>>45677080 #>>45677130 #>>45677226 #>>45677274 #>>45677297 #>>45677341 #>>45677379 #>>45677725 #>>45677758 #>>45678975 #>>45679154 #>>45679258 #>>45679802 #
0xbadcafebee ◴[23 Oct 25 02:02 UTC] No.45677379[source]

  In the past, browsers used an algorithm which only denied setting wide-ranging cookies for top-level domains with no dots (e.g. com or org). However, this did not work for top-level domains where only third-level registrations are allowed (e.g. co.uk). In these cases, websites could set a cookie for .co.uk which would be passed onto every website registered under co.uk.

  Since there was and remains no algorithmic method of finding the highest level at which a domain may be registered for a particular top-level domain (the policies differ with each registry), the only method is to create a list. This is the aim of the Public Suffix List.
  
  (https://publicsuffix.org/learn/)
So, once they realized web browsers are all inherently flawed, their solution was to maintain a static list of websites.

God I hate the web. The engineering equivalent of a car made of duct tape.

replies(10): >>45677442 #>>45678161 #>>45678382 #>>45678520 #>>45678922 #>>45679006 #>>45679642 #>>45680322 #>>45680711 #>>45680859 #
lukan ◴[23 Oct 25 02:16 UTC] No.45677442[source]
"The engineering equivalent of a car made of duct tape"

Kind of. But do you have a better proposition?

replies(2): >>45677503 #>>45678251 #
gmueckl ◴[23 Oct 25 02:25 UTC] No.45677503[source]
A part of the issue is IMO that browsers have become ridiculously bloated everything-programs. You could take about 90% of that out and into dedicated tools and end up with something vastly saner and safer and not a lot less capable for all practical purposes. Instead, we collectively are OK with frosting this atrocious layer cake that is today's web with multiple flavors of security measures of sometimes questionable utility.

End of random rant.

replies(4): >>45677688 #>>45677734 #>>45677747 #>>45678076 #
lukan ◴[23 Oct 25 02:59 UTC] No.45677734[source]
"You could take about 90% of that out and into dedicated tools "

But then you would loose plattform independency, the main selling point of this atrocity.

Having all those APIs in a sandbox that mostly just work on billion devices is pretty powerful and a potential succesor to HTML would have to beat that, to be adopted.

The best thing to happen, that I can see, is that a sane subset crystalizes, that people start to use dominantly, with the rest becoming legacy, only maintained to have it still working.

But I do dream of a fresh rewrite of the web since university (and the web was way slimmer back then), but I got a bit more pragmatic and I think I understood now the massive problem of solving trusted human communication better. It ain't easy in the real world.

replies(3): >>45677833 #>>45677843 #>>45678003 #
smaudet ◴[23 Oct 25 03:23 UTC] No.45677843[source]
> Having all those APIs in a sandbox that mostly just work on billion devices is pretty powerful and a potential succesor to HTML would have to beat that, to be adopted.

I think the giant major downside, is that they've written a rootkit that runs on everything, and to try to make up for that they want to make it so only sites they allow can run.

It's not really very powerful at all if nobody can use it, at that point you are better off just not bothering with it at all.

The Internet may remain, but the Web may really be dead.

replies(2): >>45677951 #>>45679303 #
1. sofixa ◴[23 Oct 25 07:46 UTC] No.45679303[source]
> to try to make up for that they want to make it so only sites they allow can run

What do you mean, you can run whatever you want on localhost, and it's quite easy to host whatever you want for whoever you want too. Maybe the biggest modern added barrier to entry is that having TLS is strongly encouraged/even needed for some things, but this is an easily solved problem.