No Apple just don't even allow you to install a non Webkit browser from the app store on their phones.
Why waste time advertising on competitor's websites when you can just stop them from using competitors altogether (or at least require them to use you at the same time)
By default, under the same origin policy, a browser won't allow requests cross origin.
But there are valid situations where you want a request from 1 domain to be made to other domains. This is where CORS comes in.
CORS is a mechanism to loosen security, not increase it. It allows a server to say, these are the domains (outside my own domain) who can make requests. CORS headers should be set carefully so that you are only allowing the domains that should be allowed through.
> This stuff isn't relevant at all to the talk - he never talks about npm or anything to do with package managers but instead how node does imports etc.
He does have it in his slides.
Slide titled: "Regret: package.json", last 2 points:
> Ultimately I included NPM in the Node distribution, which much made it the defacto standard.
> It's unfortunate that there is a centralized (privately controlled even) repository for modules.
I'm a kiwi, who lived in the US from the age of 8 to 13 (1998 - 2003).
I remember getting into a massive argument with an Elementary school teacher who tried to tell me I was wrong when I told her that my country was not in fact part of the country of Australia (not just continent, but she was adamant it was part of the Australian country).
dep is still the officially recommended way to go for now. Russ Cox has mentioned in his blog posts on vgo that they will be working hard to ease the transition from dep to the built in versioning tools.
> Apparently making the dependency-manager's code simpler is a goal
That isn't the goal at all. The goal of Minimal Version Selection is to ensure that the version selected is closest to that which was tested by the app and its dependencies.
> worth removing developer's ability to be expressive and removing security updates.
And that isn't true either. It allows the developer of both the app and its dependencies to express the version they have tested against, and still allow the developer to receive security updates by explicitly increasing the version, allowing them to test that the update doesn't create problems while doing so.
It allows for version pinning without the need for a lock file.
This is done quite successfully in other countries around the world, like New Zealand where we mainly have one infrastructure provider (selected and monitored by the Government), who must offer fair and standard pricing to any ISP who wants to add value to the network.
As a result, we have many ISP options throughout the country and competition between providers is high.
> So React is damned for including a PATENTS license
A patent grant is a good thing, you want a patent grant as a user of OSS.
The problem people have with React's patent grant is the one sided terms of the patent grant (and the fear that Facebook could hold you hostage with those terms).
> Geez, wish they would just re-license under Apache 2.0.
This would be my preference.
IMO, for the React issue, even if the issue is a paper tiger (https://medium.com/@dwalsh.sdlr/react-facebook-and-the-revok...), this puts a massive hit on Facebook's OSS credibility. Even if the fear was irrational, many people are never going to understand that now and many people won't touch any Facebook OSS because of that fear.
Facebook would probably solve a lot of that credibility loss by just re-licensing under Apache 2.0.
The MIT license doesn't change anything in this case, because the MIT license doesn't have a patent grant.
This GraphQL situation is different and, arguably, somewhat worse than the ReactJS BSD+Patent license issue.
The problem here is the GraphQL specification doesn't have a patent grant (unlike ReactJS, which does, but people don't like the terms of the grant). And Facebook have filed a patent for GraphQL (https://www.google.com/patents/US9646028) that has some quite broad language.
Due to the patent, and the lack of a patent grant, most GraphQL users likely infringe on Facebook's patents.
All I'm saying is that security is a complicated topic. People already misunderstand things like CSRF, CORS, resource protection, etc. And they already get them wrong.
CORS is designed to loosen the security protections added by a same origin policy. It is not designed to increase security.
Piling on CSRF protections is just blurring the use case for CORS. All this is going to do is confuse people more, and more people are going to get it wrong.
Yes, but then you get people that fail to understand that CSRF only applies to a browser, and CORS only affects a user agent that implements a Same Origin Policy. And they fail to protect their resources otherwise.
They add CORS support to their server resources and get the false assumption that their resources can only ever be retrieved from a web page under their origin or an origin they have trusted (via CORS). They believe that this also protects them from malicious users making requests from outside of a browser (eg. via curl).
CORS is not security, it is loosening of security (namely SOP).
The number of times that I have had someone ask "why can someone access the endpoint via curl? I thought this was protected by CORS" makes me sad.
Although, you could argue that an attacker who is targeting self-driving cars could modify the sign in a way that is unnoticeable to humans, but greatly affects how the self-driving car interprets the sign.
Eg. look at the panda images at the start of the linked post. The third image looks like a panda to humans (and most humans probably wouldn't be able to see the difference between the first and third images), but it greatly affects the machine learning interpretation.
By modifying the sign in this way, if it is possible, it would be much harder to detect and enforce against than it would be if the attacker was targeting human drivers.
Why waste time advertising on competitor's websites when you can just stop them from using competitors altogether (or at least require them to use you at the same time)