HackerTrans
トップ新着トレンドコメント過去質問紹介求人

wesleyac

no profile record

投稿

Consider SQLite

blog.wesleyac.com
362 ポイント·投稿者 wesleyac·5 年前·267 コメント

Reasons to Avoid JavaScript CDNs

blog.wesleyac.com
2 ポイント·投稿者 wesleyac·5 年前·0 コメント

Show HN: Deeplinks.js – Simple deep links to selections of text on your website

github.com
76 ポイント·投稿者 wesleyac·5 年前·19 コメント

GetElementById vs. QuerySelector

blog.wesleyac.com
147 ポイント·投稿者 wesleyac·5 年前·94 コメント

Reviving Yo: How to Patch an APK

blog.wesleyac.com
3 ポイント·投稿者 wesleyac·6 年前·0 コメント

コメント

wesleyac
·5 年前·議論
Hey! I'm the person who made this — I don't believe there's an actual problem here, since login cookies are set on the top-level domain (and thus are inaccessible to content on subdomains), and are HTTPOnly as well.

I do notice that Stripe sets a tracking cookie (which only happens for people who pay for the service, since I don't load the Stripe JS elsewhere), so you could track pageviews with that or something. That's unfortunate — I'll probably try to move the stripe stuff to a subdomain to avoid it — but I don't see it as a big problem.

The HTTP security model is pretty awful, so there may be something I'm missing, but I did think quite carefully about this, and allowing people to use arbitrary HTML and JS was an intentional choice.

Is there a particular threat model you see here?
wesleyac
·9 年前·議論
Not mentioned in the post, but I worked with Dan on this and I'm pretty sure he's talking about the iPad pro.