1. save this image.
September 25, 2020 1:22 PM   Subscribe

"This is a web page that you just opened from an image file. Weird, huh? The image you loaded is a png image file, but it's a special kind of png. It's a powfile. POW stands for Packaged Offline/online Webpage. It turns out the png format includes ways to save metadata alongside the image file. A powfile has a metadata entry that contains a zip file that contains a full website. You're viewing this now in the Pow Player, which uses some handy modern browser features to treat this single file like a real website, with links, regular forward/back browsing, javascript, resource loading, etc. Ok, sure. But why?" posted by not_the_water (41 comments total) 17 users marked this as a favorite
 


The inability to load the "but why" link does kind of encapsulate my first thoughts about this.
posted by sagc at 1:25 PM on September 25, 2020 [30 favorites]


I am not tech savvy enough to know: is this a huge virus vulnerability?
posted by PhineasGage at 1:28 PM on September 25, 2020 [5 favorites]


That seems like it could be kind of dangerous. Could you put malicious code into one of these pages?
posted by Artifice_Eternity at 1:28 PM on September 25, 2020


The inability to load the "but why" link does kind of encapsulate my first thoughts about this.

That might be a joke, but I'm not sure.
posted by Artifice_Eternity at 1:29 PM on September 25, 2020 [3 favorites]


That might be a joke, but I'm not sure

it's funny either way
posted by Dr. Twist at 1:33 PM on September 25, 2020 [5 favorites]


Related: The internet of protest is being built on single-page websites

It'll be sad when carrd is swamped to death by porn.
posted by GuyZero at 1:39 PM on September 25, 2020


That seems like it could be kind of dangerous. Could you put malicious code into one of these pages?
In its current form it's exactly as dangerous as a web page. Because it runs in your browser, whichever browser that is, which is heavily sandboxed and hardened by virtue of having been a high value target for decades.

If they tried to offer me a standalone reader I'd probably say hell no.
posted by Horkus at 1:40 PM on September 25, 2020 [1 favorite]


1. save this image

2. go to powplayer.com and load that image.


LOL no. While this is probably harmless I'm not generally in the habit of just following random instructions on some website somewhere. You shouldn't either.
posted by axiom at 1:46 PM on September 25, 2020 [16 favorites]


MetaFilter: might be a joke, but I'm not sure.
posted by chavenet at 1:46 PM on September 25, 2020 [18 favorites]


I for one am refusing to follow the random instructions axiom just posted on some website somewhere
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 1:47 PM on September 25, 2020 [9 favorites]


Also, I presume you could do this with any file format that allows for arbitrary metadata, subject to length limits - just write a program that strips all the binary data out of an mp3, and treats the ID3 tags as HTML or whatever.
posted by sagc at 2:05 PM on September 25, 2020 [1 favorite]


> I am not tech savvy enough to know: is this a huge virus vulnerability?

> In its current form it's exactly as dangerous as a web page.

Unlike the conventional components of a web page, this seems to have an excellent way to smuggle undesirable things past content filters.
posted by at by at 2:12 PM on September 25, 2020 [4 favorites]


And one final thing, tying into the article about Carrd/single-serving websites - In one of the recent Qanon threads, Carrd came up in a linked article as just as useful for right-wing propaganda.
posted by sagc at 2:13 PM on September 25, 2020 [2 favorites]


I can't load the "why" page, but delivery of online content in a monolithic form is a natural extension for advertising companies like Google and Facebook, and one they have been working on for a while now. I remember going to a Facebook recruiting event a few years back and some similar technology was presented under the guise of making delivering web content more "efficient". The guise of efficiency lets them extend their control of what content you see (and can filter with ad blockers or other plugins of your choosing, say) beyond the control they already have over web browser and social media markets. One packaged stream of data that they control end to end is going to be more profitable than one they have to share with third-parties (including the audience).
posted by They sucked his brains out! at 2:21 PM on September 25, 2020 [2 favorites]


The "but why" link only works once you follow the instructions, because the why.html page is inside the PNG as well.
posted by a car full of lions at 2:32 PM on September 25, 2020 [4 favorites]


Well, that definitely breaks 90% of how I understand URLs ought to work.
posted by sagc at 2:34 PM on September 25, 2020 [7 favorites]


The "but why" link only works once you follow the instructions, because the why.html page is inside the PNG as well.

That seems like useful information to add to the post text.
posted by They sucked his brains out! at 2:40 PM on September 25, 2020 [4 favorites]


And, now that I've loaded the 'Why' page, I'm not closer to understanding why. If I'm just sending a page to a friend, why not just a .zip file with the directory structure in it? Why not a .mhtml file? Why not a Powerpoint presentation?

If I don't want to run a server, why am I not using one of many free web hosts? Where am I going to host my massively oversized PNG?

What on earth does "Maybe you like actually having stuff you want to view, use, or listen to." mean? I should... enjoy looking at whatever the PNG carrier happens to be? That this is actually a *good* way to download website?

This seems like someone over-excited about discovering poorly-executed digital steganography and the ability to manipulate the history stack in the browser.
posted by sagc at 2:48 PM on September 25, 2020 [3 favorites]


I see the value in this, but not for the general public. It is like Docker for scam sites.
posted by grumpybear69 at 2:59 PM on September 25, 2020 [8 favorites]


I downloaded the image and opened it up in Vim. Here are the "Why?" contents:

----

Why?

Well, sometimes you don't want an actual website on the internet.

Maybe you just want to share something with your friends.

Maybe you don't want to figure out how to run a server.

Maybe you don't want to pay for a webhost.

Maybe you aren't that excited about some server running all the time just
in case somebody wants to look at your website.

Maybe you want the web to work even when you don't have internet access.

Maybe you like actually having stuff you want to view, use, or listen to.

Maybe you wish websites had cover art.

Ok, sure, maybe. So can I make my own

posted by grumpybear69 at 3:11 PM on September 25, 2020 [2 favorites]


we are buried under infinite layers of useless complexity already. let's add more.
posted by roue at 3:26 PM on September 25, 2020 [10 favorites]


The PICO-8 fantasy console encodes cartridge save data as PNGs that look like cassette tapes.
posted by RobotVoodooPower at 3:47 PM on September 25, 2020 [11 favorites]


>In its current form it's exactly as dangerous as a web page.

Which is to say, potentially dangerous, so tread carefully and if you don't know where you're gonna end up, think twice.
posted by Sing Or Swim at 3:50 PM on September 25, 2020 [1 favorite]


zero docs in the creation tools, so you can't really make your own. Author is too pleased with their own cleverness.

Can't wait to read Webshit Weekly's meta-commentary when and if this hits HN.
posted by scruss at 3:55 PM on September 25, 2020 [7 favorites]


Related, see the International Journal of PoC||GTFO also on (GitHub), where the issues offer tidbits like:

Issue 7: "Technical Note: This issue is a polyglot that can be meaningfully interpreted as a ZIP, a PDF, a BPG, or HTML featuring a BPG decoder."

Issue 14: "This file, pocorgtfo14.pdf, is a polyglot valid as a Nintendo Entertainment System (NES) ROM cartridge, a PDF document, and a ZIP archive. We collided 9,824 MD5 block pairs to place the hash of this document on its front cover and the title screen of the NES game, but only 609 of them made it to the final release."

... because PDF.
posted by sysinfo at 4:19 PM on September 25, 2020 [5 favorites]


This ties into the recent post on Visual Studio Code. In the article that post links to, the author points out that "some extensions start to look like apps in and of themselves" and links to a Draw.io extension that creates a .png or .svg file with an editable Draw.io diagram embedded in it.

There was a Mac word processor called PageHand / PageSmith which used .pdf (normally read-only!) as its editable format by saving an editable copy of the document within the pdf as metadata. There are ways to do this with other formats as well.

I mean, you don't have to encode it in the image data, or hide it in the pixels. The format itself allows you to add items most people don't necessarily see.
posted by jabah at 4:47 PM on September 25, 2020 [1 favorite]


we are buried under infinite layers of useless complexity already. let's add more.

It’s called “computer science.”
posted by atoxyl at 5:57 PM on September 25, 2020 [4 favorites]


And one final thing, tying into the article about Carrd/single-serving websites - In one of the recent Qanon threads, Carrd came up in a linked article as just as useful for right-wing propaganda.

Those damned websites, with their ability to display text...
posted by atoxyl at 6:05 PM on September 25, 2020 [5 favorites]


In its current form it's exactly as dangerous as a web page. Because it runs in your browser, whichever browser that is, which is heavily sandboxed and hardened by virtue of having been a high value target for decades.

A file that has been saved to your local filesystem, and is then opened by your browser, is treated quite a bit differently than the exact same file delivered to your browser by http(s).

So no, it is not as dangerous as a web page. As an image loaded into your browser from your local filesystem, it is as dangerous as any other file opened by your browser directly from your local filesystem.

That's a different sandbox.

The file is potentially evaluated as a "trusted local file opened intentionally". A browser opening a trusted image file that contains unexpected additional data is a well-trod vector for the dreaded "unexpected, potentially malicious behavior." Anyone who has mitigated or instigated an attack that relied on a user opening a PDF directly from their downloads folder is probably looking at this with great horror or delight. Possibly both.
posted by toxic at 6:35 PM on September 25, 2020 [7 favorites]


While we're laughing at this, Powly or "Pow meets LinkedIn and Uber" just got $245 million in VC funding.
posted by geoff. at 10:05 PM on September 25, 2020


This is pretty much old tech. PNG is inspired by Interchange File Format. Putting multiple chunks in one file where different subsets of chunks can be handled by different applications each to their own ability is old hat. I'm surprised people are surprised.
posted by zengargoyle at 12:10 AM on September 26, 2020


I haven't completely wrapped my head around service workers but there's definitely a service worker involved.
posted by bendy at 12:42 AM on September 26, 2020


I'm completely not surprised. When I first started playing with SVG animations, I discovered this animated clock on Wikipedia, no less. Click the "Original file" link to see the animation starting at midnight.

You can download this original svg and edit it in a text editor as per the embedded instructions. Uncomment some javascript in it and add the onload-attribute to the svg tag. If you "view" this "image" in Chrome, you'll be able to see javascript executed - it sets the correct clock time.

I'm just happy to report that this seems not to work when loaded from a website instead of your local file system, otherwise I'd have made an avatar "svg" for some forums with an embedded fully interactive game.

Later, I learned that you can inline svg in websites, but also websites in svg. If you create a website with an inline svg that inlines a link, clicking that link works.
posted by flamewise at 1:55 AM on September 26, 2020


> Well, that definitely breaks 90% of how I understand URLs ought to work.

Yeah can someone explain that?
posted by STFUDonnie at 4:09 AM on September 26, 2020


I can't explain it, but I can say Google is in the midst of weaponizing breaking the URL with intent to break adblockers like Pi-Hole by doing something very similar to this: bundling all information about a website in a closed box, a blob URL. Meaning you can't actually see and block individual trackers. You either open the whole blob or you open nothing.

This is super cool and neat to see such a simple implementation but god damn it fuck Google and their take-over-the-way-the-web-works bullshit.
posted by deadaluspark at 7:19 AM on September 26, 2020


Google Chrome also has a "bandwidth saving" feature that can reencode images to save space. So not only can they package you a binary blob website that destroys adblockers, they will also destroy any of these home-made embedded "pow" sites on the page in the process. Neat!
posted by sixohsix at 7:54 AM on September 26, 2020


deadaluspark, are you referring to wpack/Web Bundles, or something else?

Web Bundles include an index and are randomly accessible (you can download just the bits you want) and are all kinds of neat. Combined with SXG I think they will actually open up some really interesting options for adhoc sharing of cryptographically signed web pages. Google wants a standardized alternative to amp pages that isn't awful; Web Bundles + SXG will allow them to send you verbatim copies of cached HTTPS web pages that preserve your browser 's ability to verify their original source, and that Google hasn't modified them. That being said, there are a variety of other use cases this will enable—personally, I'm hoping the proposed standards are accepted and that epub v4 will use Web Bundles instead of (shudder) zip files.

I wouldn't be surprised if Google is simultaneously working on something like you describe, or if Chrome's implementation of Web Bundles ends up being designed to inhibit ad blockers. If the former, do you happen to have a reference to (or a name for) the project?

Also, on reread, what do you mean by ‘blob url’ in this context? I'm only familiar with blob urls as a thing generated by JavaScript, not something that can be used to distribute content over a network.


p.s. I'm totally on board with the Google hate/distrust, but they do create some legitimately cool stuff and in the case of Web Bundles they are doing so totally in the open and in coordination with the IETF.

posted by thedward at 8:29 AM on September 26, 2020 [2 favorites]


from The internet of protest is being built on single-page websites:
They are so widespread that Carrds of Carrds have popped up—pages that linked to a ton of other Carrds, a sort of search engine.
Objection: This is not a search engine. This is a webring. Thank you.

okay fine it's a directory but webring is funnier
posted by vibratory manner of working at 12:56 PM on September 26, 2020 [3 favorites]


Yeah can someone explain that?

It works by adding an event listener to 'fetch' events which constructs synthetic http responses out of data that it's parsed from the PNG, rather than going out to the internet as the browser usually would. None of this works without javascript, natch.
posted by whir at 8:03 AM on September 28, 2020 [1 favorite]


Google is in the midst of weaponizing breaking the URL with intent to break adblockers like Pi-Hole by doing something very similar to this: bundling all information about a website in a closed box, a blob URL

I mean, I don't disagree with the general sentiment that Google is trying to capture various web standards through things like AMP, but in terms of URLs, the great majority of modern web sites these days use client-side routing for most of the user's interactions with the site via the Html5 History API and similar methods, and HTTP traffic between the browser and the server is from javascript-initiated http requests that hit APIs rather than having the user's browser request a new HTTP page from the server and refreshing the entire page. So it's somewhat common to be looking at a URL in your browser that would not render a sensible page, or the same page, if you copied and pasted it into a new window.
posted by whir at 8:17 AM on September 28, 2020


« Older Addicted to Losing   |   "a fascinating and uncelebrated ancient people the... Newer »


This thread has been archived and is closed to new comments