It's an open-source comment system federated on the Matrix (https://matrix.org/) network. This means you can use your Matrix identity to comment on any site that uses Cactus, without the tracking of something like disqus. Works well with static site generators too.
That's not particularly useful without a reputation system.
In particular, any federated identity provider has a problem for this use case in that malicious actors can simply create their own domain - or multiple - and spam/troll from those. Blacklists essentially don't work as long as new domains can be created, so you end up with a whitelist, which kinda counteracts the federation concept.
It needs something where getting blemishes on your ID is actually something you want to avoid. And where fresh IDs is not effective to bypass this.
In my opinion, XSS is not a security issue autofill should deal with at all.
The real issue is if attackers can trick the autofill to fill in a password for a different site. I did a pentest for a password manager a few years ago, and if I remember correctly this type of exploit had been successful against multiple of the big password managers.
Making Cactus Comments work without javascript would require a backend server. Right now, the frontend is actually just a special-purpose Matrix client that interacts directly with Matrix homeservers.
Hello, thanks for taking the time to reply. Isn't the matrix.org homeserver already a backend HTTP server? I'm unfamiliar with the matrix protocol, but isn't there a way to POST to homeserver directly so that it can authenticate and confirm with the user they intend to post this message?
You don't, you have to trust it just like any other Matrix client. Hopefully there will be OAuth or something similar in the Matrix spec in the future, so you can use less trusted clients. If you want to comment with your user, but don't trust the client, you can use any Matrix client with Cactus Comments by clicking "Use a Matrix client" :-)
Shameless plug: My friend and I are building a federated commenting system on top of Matrix if anyone is interested. You control the data, your users choose where they want to be signed up, and the system will not disappear overnight because a company decides to discontinue it. And of course there are no trackers/pixels.
When I click the cactus.chat link I get an "Ethereum Phishing Detection" message.
> This domain is currently on the MetaMask domain warning list. This means that based on information available to us, MetaMask believes this domain could currently compromise your security and, as an added safety feature, MetaMask has restricted access to the site. To override this, please read the rest of this warning for instructions on how to continue at your own risk.
Can you comment on implementation / challenges of using Matrix for this?
I've been working on a dumb git-like and been needing to add syncing. Being a git-like it could just centralize via SSH, but i had also debated a P2P platform like Matrix or IPFS.
You use case UI-embedded Matrix interaction is especially interesting to me, because some of the UIs i plan for on this git-like are WASM based, Offline enabled PWAs.
If someone wants to comment on your blog, they can write their own blog post on their blog and send a webmention. That can get linked at the bottom of your blog post with a text snippet summary.
There's no "API" beyond "curl -i -d source=URL -d target=URL WEBMENTION_ENDPOINT" in the traditional sense. Using microformats markup for better exraction is optional.
The result is a federated system of comments owned and controlled by nobody except the original author. No need to use someone's Matrix server or spin up your own. It also imposes a bit of a barrier to entry (must have your own (micro)blog), but if you don't want any random person to leave a comment that can be a feature.
Services like brid.gy turn Fediverse and Twitter comments into Webmentions as well; I've thought about using it for Fediverse comments in the past, but I don't want to host a new program or rely on a third-party service.
I think using Matrix for this is absolutely the right way to go. Does cactus conform to the threading specification? I was planning on eventually trying this myself, but felt like I should wait until the threading MSC stabilized.
Aforementionend friend and Cactus Comments dev here.
We don't support any sort of threading yet, although Cerulean-style threading is definitely somewhere down the road. Although stuff like redactions and emoji reactions are a higher priority right now.
We're also keeping our eyes out for the upcoming spaces stuff. That might be useful for grouping comment sections.
