StopTheMadness and Mastodon compatibility

November 13, 2022
By Jeff Johnson of Underpass App Company

Mastodon has been growing rapidly as Twitter refugees look for an alternative. I have a couple of Mastodon compatibility notes for users of my web browser extension StopTheMadness.

First, the website option "Stop link trackers" can cause some Mastodon links to unexpectedly open in a new tab. This is due to the decentralized design of Mastodon. If you login to Twitter, a centralized service, you remain logged in when you visit the profile page of any Twitter user. However, if you login to a Mastodon instance, and you visit the profile page of a Mastodon user on another instance, you're no longer logged in, because each Mastodon instance has a separate login.

For example, mastodon.online is administered by the founder of Mastodon, whose profile is on mastodon.social. If you show the link to the administrator's profile in the web inspector, it looks like this:

<a target="_blank"
href="https://mastodon.social/@Gargron"
title="Gargron@mastodon.social"
to="/@Gargron@mastodon.social"
class="permalink account__display-name">

The target="_blank" attribute indicates that the link should open in a new tab. According to the documentation, this means the link opens in a new security context:

Note: Setting target="_blank" on <a> elements implicitly provides the same rel behavior as setting rel="noopener" which does not set window.opener.

If you show the status bar in Safari and hover over the link, it says Open "https://mastodon.social/@Gargron" in a new tab. So why doesn't it open in a new tab when Stop link trackers is disabled in StopTheMadness? The reason is that Mastodon actually hijacks the link click! This allows you to more easily follow users on other Mastodon instances.

In this case hijacking the click may be "good", but in most cases hijacking a click is "bad", which is why it's stopped by the Stop link trackers website option of StopTheMadness. Clickjacking is often used for tracking clicks, or otherwise nefariously sending you somewhere that you didn't intend to go. By default, when StopTheMadness sees a cross-origin link (mastodon.social vs. mastodon.online) with a target="_blank" attribute, it stops the click from getting hijacked, to protect your privacy and security.

The mystery is why Mastodon false advertises the link as opening in a new tab. I don't have an answer for that, but I do have a workaround if you're a Mastodon user: add new website options for your Mastodon instance and disable Stop link trackers. I've added this to the list of known website compatibility issues on the StopTheMadness support pages. I would add special code in StopTheMadness to handle Mastodon but… given the decentralization of Mastodon, each instance has a different URL domain, not all of which have "mastodon" in the name, and there appears to be no other unique identifier for a Mastodon site, so StopTheMadness has no reliable way to tell which pages are Mastodon.

The second compatibility note is about the custom <style> element feature of StopTheMadness. If you recall, this is the feature we've used to substitute web fonts! The bad news is that Mastodon has an extremely (overly) restrictive Content Security Policy that prevents the addition of inline <style> elements to the page, so the StopTheMadness feature doesn't currently work on Mastodon. The good news is that an App Store update this week (Apple willing) will fix the problem! So stay tuned! (In other words, follow the RSS feed.)

One more thing.™ The best news is that this week's StopTheMadness update also adds a new easy to use font substitution feature! No more writing your own custom CSS, just enter a font name and its replacement. I've been working diligently on this feature recently, and its release is imminent.

Addendum

Ok, two more things. Some readers may wonder whether I'm on Mastodon myself, and the answer is no. I did try Mastodon, but I deleted my account after one day, because I found the decentralization too inconvenient. I was trying to reassemble my Twitter network on Mastodon, but following everyone was becoming painful, for the reasons I described above. On Twitter, someone will post a link to their Mastodon profile, and when you click it, you end up on their Mastodon instance, not necessarily your own instance. If you're on different instances, then you can't just click the follow button like you can on Twitter. When I tried to follow people, Mastodon showed a popup that instructed me to copy the username, go back to my own Mastodon instance, and paste it into the search field. Seriously! Imagine having to do that hundreds of times. Ridiculous.

When you join Mastodon, they claim it doesn't matter which server you use, but this turned out to be false. I made the mistake of signing up for a smaller instance rather than the largest instance mastodon.social, which meant that the majority of accounts I wanted to follow were not on my instance, making it even harder to follow who I wanted. The onboarding experience of Mastodon — how do I even choose a server? [insert two buttons meme] — is going to significantly limit its user base. Maybe a limited user base is ok with current users, but I've chosen not to be one of them. I'll just write on my self-hosted websites, like always.