nostr:npub1wahdrf28uf5n5tykfeyzf43sdgg65djvm8re3ulpentr3teaxujs09xc8t nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 Looks like there was a bit of social engineering involved. My first guess was, since poast runs Soapbox as default frontend and serves Pleroma-FE separately, the subdomain FE is on (pl.poa.st) might have not applied CSP rules, essentially giving all control over the local storage to the opened HTML with embedded JS. But that fails flat in his setup, since media is hosted on a separate domain (poastcdn.org) which should have those rules applied regardless.

Screenshot_20230526_093439.png

?name=Screenshot_20230526_093439.png