HackerTrans
TopNewTrendsCommentsPastAskShowJobs

wesleyac

no profile record

Submissions

Consider SQLite

blog.wesleyac.com
362 points·by wesleyac·5년 전·267 comments

Reasons to Avoid JavaScript CDNs

blog.wesleyac.com
2 points·by wesleyac·5년 전·0 comments

Show HN: Deeplinks.js – Simple deep links to selections of text on your website

github.com
76 points·by wesleyac·5년 전·19 comments

GetElementById vs. QuerySelector

blog.wesleyac.com
147 points·by wesleyac·5년 전·94 comments

Reviving Yo: How to Patch an APK

blog.wesleyac.com
3 points·by wesleyac·6년 전·0 comments

comments

wesleyac
·5년 전·discuss
Hey! I'm the person who made this — I don't believe there's an actual problem here, since login cookies are set on the top-level domain (and thus are inaccessible to content on subdomains), and are HTTPOnly as well.

I do notice that Stripe sets a tracking cookie (which only happens for people who pay for the service, since I don't load the Stripe JS elsewhere), so you could track pageviews with that or something. That's unfortunate — I'll probably try to move the stripe stuff to a subdomain to avoid it — but I don't see it as a big problem.

The HTTP security model is pretty awful, so there may be something I'm missing, but I did think quite carefully about this, and allowing people to use arbitrary HTML and JS was an intentional choice.

Is there a particular threat model you see here?
wesleyac
·9년 전·discuss
Not mentioned in the post, but I worked with Dan on this and I'm pretty sure he's talking about the iPad pro.