Discord Attachments and Privacy

Attachment privacy Attachment links Discord attachments use no access control list (ACL). Anyone with the URL to the attachment can download the attachment without any authentication. This is by design not secure, as it is a typical security through obscurity approach. We will see why that is the case in a second. First let us see how the attachment URL is generated. For example, here I have an attachment picture uploaded by someone in NYC mech keyboard group.

Cross-IPFS-site scripting

IPFS vs same-origin policy

Introduction These days, browsers are pretty secure, and some are even privacy conscious (Firefox, Brave) that block third party trackers by default. But today’s browsers are ultimately designed for HTTP, not IPFS. And they have a different threat model in mind. All the sites on IPFS are served from the same origin as the gateway, which has some interesting implications for privacy and security. How IPFS gateway works IPFS gateway is a web server that connects to some IPFS node daemon.