@gandalf, Could you elaborate on security withstanding or issue you experienced on our instance related to Images? We have setting on Ecency.com to change image proxy from images.ecency.com to images.hive.blog, not saying other frontends should have same setting but curious about attack or issues you experienced.
If I understand the context properly of what you are referring to - there's no issue with ecency's image proxy itself. I was talking about restricting CSP to images.hive.blog so that all external content goes through (ideally) a single controlled proxy within one domain that serves UGC. Fewer allowed origins means smaller attack surface if something goes wrong on any of them.
I see, thanks for clarifying. Security is crucial for us and we take it seriously. If you notice any potential issues (XSS or otherwise), please let us know so we can address them promptly.
Since there are currently only two known image proxy instances, we’ve added an option for users to choose their preferred proxy. This is available on both ecency.com and the Ecency mobile app.