@reinboar I'm not sure yet whether I will make this serve static files only, or also support CGI and maybe FastCGI. If it's static only, cookies aren't really a threat anyway (as far as I understand, happy to be corrected). If it supports dynamic content, absolutely, the server will not pass cookies or referers to the applications, and it will not permit the applications to send cookies or eTags (which can be used as a sneaky cookie substitute).
@reinboar The browser automatically sends them along in the headers with any request to the server, based on the domain. The server has no way to request them directly. But a static site has no way to set them in the first place, or to interpret any that somehow got sent along, so until CGI arrives they're a non-threat.
@reinboar My definition of "static website" is basically "a bunch of files served from the disk", so there's no way for a static website to process a POST request. That fundamentally requires CGI, FastCGI, or some newfangled work-alike.
@solderpunk ooooo, pretty cruel HTML source requirements 😋
@pkotrcka Probably the list will grow! None of this HTML5 local storage nonsense, for example. Not sure yet if it will be easier to have a list of evil things to ban or to just whitelist the harmless ones.
@solderpunk can you scrub embedded images or media if not loaded locally?
@solderpunk I.E. Eliminate tracking people by embedding images from other servers.
@trashHeap That's a good idea, thanks. I wonder if I should impose a blanket local-only policy, so it would also cover e.g. fonts, stylesheets, etc. This is good practice not just for privacy but for reliability. Your website shouldn't break because a third party's server went down.
@solderpunk Id recommend doing it for all external resources. Google tracking people via externally loading their fonts is allready a thing I think.
It is like forums, except I use it as a public web note api, and it acts a lot like a mailing list. And everything is CC0, except I am literally the laziest sysop on the planet, and haven't written this up yet (https://talkgroup.xyz/t/meta-quest-create-the-community-terms/1231?u=maiki). T_T
@solderpunk I have to say ive been so client focused on these problems, its interesting to contemplate server side solutions.
@trashHeap I've been reading up on CGI and it seems like it would not take too much effort, so maybe I'll do it (with the option to disable it, of course). I will eventually spin up a cheap VPS that runs this server, and give anybody with shell access at the Zaibatsu or Republic the option to host a site there so we can shake out bugs and see how well the idea really works in practice. You'd be welcome to experiment with scheme CGI there!
@solderpunk I had a feeling this would loop back to a Zaibatsu service; id not only use it there but I could see it replacing bozohttpd as my preferred lightweight webserver.
@trashHeap I never used bozohttpd, but I remember being disappointed when NetBSD started bundling it as part of the base system, because I loved NetBSD for its clean and minimal base system. But I'm sure it's a great server, and in general I really love and have a wonderful nostalgic fondness for the old simple webservers, especially the ones from ACME labs.
masto instance for the tildeverse