Michael Telatynski
Michael Telatynski
@janonym1 make sure you're deploying the file to right origin and with the right ACAO headers s per the Matrix spec: https://spec.matrix.org/v1.13/client-server-api/#web-browser-clients https://spec.matrix.org/v1.13/client-server-api/#well-known-uri
That's up to your browser and its configuration, some are stricter than others.
> Timeline -> Date jump options (need to enable "jump to date" in the lab): Last week, no corresponding key Last month, no corresponding key This is intentional, all time...
@ara4n unfortunately the server does not give us enough information in `invite_state` to do as you ask. 1. We don't know its a DM 2. We don't know any other...
@vector-im/product this could potentially be abused where someone sends you a link including a serverName they control and if you don't notice the server isn't one you expect then your...
@vector-im/security how do you feel about being able to specify homeserver URL in the Element URL in the context of phishing and other such attacks
> Anyhow, I imagine you can see the homeserver name when you try to login or register and, as a phishing vector, it is not that different from using other...
I think the only way this can work safely is if any url-suggested homeserver comes with a chunky warning interstitial.
I guess this problem gets easier with OIDC, as your password manager will be keyed to the server's auth domain rather than the client domain. > this QoL improvement starts...
> How exactly does this differ to registers the actual metrix.org and impersonating the website itself? Or any other website, for that matter? Your password manager is smart enough to...