HackerTrans
TopNewTrendsCommentsPastAskShowJobs

wesleyac

no profile record

Submissions

Consider SQLite

blog.wesleyac.com
362 points·by wesleyac·5 tahun yang lalu·267 comments

Reasons to Avoid JavaScript CDNs

blog.wesleyac.com
2 points·by wesleyac·5 tahun yang lalu·0 comments

Show HN: Deeplinks.js – Simple deep links to selections of text on your website

github.com
76 points·by wesleyac·5 tahun yang lalu·19 comments

GetElementById vs. QuerySelector

blog.wesleyac.com
147 points·by wesleyac·5 tahun yang lalu·94 comments

Reviving Yo: How to Patch an APK

blog.wesleyac.com
3 points·by wesleyac·6 tahun yang lalu·0 comments

comments

wesleyac
·5 tahun yang lalu·discuss
Hey! I'm the person who made this — I don't believe there's an actual problem here, since login cookies are set on the top-level domain (and thus are inaccessible to content on subdomains), and are HTTPOnly as well.

I do notice that Stripe sets a tracking cookie (which only happens for people who pay for the service, since I don't load the Stripe JS elsewhere), so you could track pageviews with that or something. That's unfortunate — I'll probably try to move the stripe stuff to a subdomain to avoid it — but I don't see it as a big problem.

The HTTP security model is pretty awful, so there may be something I'm missing, but I did think quite carefully about this, and allowing people to use arbitrary HTML and JS was an intentional choice.

Is there a particular threat model you see here?
wesleyac
·9 tahun yang lalu·discuss
Not mentioned in the post, but I worked with Dan on this and I'm pretty sure he's talking about the iPad pro.