Page MenuHomeMiraheze

Do something about broken twiter feed
Closed, InvalidPublic

Description

On the 503 error page (used by varnish) we embed a twitter timeline for https://twitter.com/MirahezeStatus. However, as of recent, embeds no longer work properly. Seeing as they are now forcing logins to view tweets, I don't find it likely that this would ever get fixed. We could wait and see if they ever fix it, or we could replace it with a feed from another platform (facebook, mastodon, threads).

Event Timeline

MacFan4000 triaged this task as Normal priority.Jul 11 2023, 19:04
MacFan4000 created this task.

Replacing it with Mastodon is the easiest route, since you already have that up and running. A quick search brings up https://sampsyo.github.io/emfed/. I could write a PR including emfed from the jsdelivr cdn if wanted.

Replacing it with Mastodon is the easiest route, since you already have that up and running. A quick search brings up https://sampsyo.github.io/emfed/. I could write a PR including emfed from the jsdelivr cdn if wanted.

This most likely will require an addition to the CSP which would require a security review. I also made a PR somewhat recently that switched it to facebook (official timeline widget) (CSP re-review needed).

If the problem is with CSP reviews I'd argue emfed has a better shot than facebook

  • jsdelivr can be used to retrieve the emfed program. cdn.jsdelivr.net is already on the CSP, so we can skip that. Paired with SubResource Integrity (like we already do for bootstrap on miraheze.org: https://github.com/miraheze/landing/pull/112, https://github.com/miraheze/landing/pull/111), it is pretty secure, in that we can make sure users will only run the emfed code.
    • On another note, emfed itself is really simple. Easily reviewed even by a single individual if you know JavaScript.
  • We can be more restrictive in terms of CSP permissions compared to facebook, because emfed uses the API to manually retrieve the posts of an user and render them, it doesn't use JS code from the mastodon instance. You would only need connect-src (API access), media-src (audio & video) and img-src (images) permission on mastodon.social (the mastodon instance mh's using), as opposed to facebook, where you would need JavaScript permissions as well.
  • facebook is, well, facebook.

Also, aren't CSP reviews like, not possible because Trust & Safety kinda doesn't exist anymore? I think a board member can act as a T&S member, if I remember correctly.

T&S exists now, and @Agent_Isai is likely the best person to approve what comes next.

From my POV, 𝕏 is a dying platform that doesn't represent our values, so we shouldn't bother with it. Facebook is not as bad but remains a privacy nightmare. Doing it with Mastodon fits with our open source mission, and emfed is public domain open source. I'd be happy to review the JS if that's what we want to use.

503s no longer display a Twitter feed. They instead link to a static help page on GitHub Pages which explains what may have happened and links to our social media and status page so technically this is invalid?