FullStory namespace conflict. Please set window["_fs_namespace"]. script.pageview-props.tagged-events.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENTUnderstand this error edge.fullstory.com/s/fs.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENTUnderstand this error ghostty:1 Access to XMLHttpRequest at 'https://d3hb14vkzrxvla.cloudfront.net/v1/e3d6bbe1-aa48-43cb-...' from origin 'https://hcb.hackclub.com' has been blocked by CORS policy: Request header field beacon-device-instance-id is not allowed by Access-Control-Allow-Headers in preflight response.Understand this error installHook.js:1 Unable to Load Beacon overrideMethod @ installHook.js:1Understand this error installHook.js:1 $ overrideMethod @ installHook.js:1Understand this error d3hb14vkzrxvla.cloudfront.net/v1/e3d6bbe1-aa48-43cb-8f8b-be1e33945bab:1 Failed to load resource: net::ERR_FAILEDUnderstand this error [Violation] Potential permissions policy violation: payment is not allowed in this document.Understand this error rs.fullstory.com/rec/page:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENTUnderstand this error 29[Intervention] Unable to preventDefault inside passive event listener due to target being treated as passive. See <URL>
Sorry about that! I've just pushed a fix for one of those errors. Although I wasn't able to reproduce this donation behavior on Chrome, I will continue investigating.
I appreciate you reporting this!
I get that you want to be "open", but is everyone involved in these transactions ok with them being shared? Even if they are, this doesn't seem like a good idea security wise. I see partial account numbers and other IDs/numbers that I assume you'd prefer not be public, regardless of how insensitive they may seem now.
EXPENSIFY, INC. VALIDATION XXXXXX5987 THE HACK FOUNDATION +$0.89
FRONTING $10,000 TO CHRIS WALKER FOR GITHUB GRANTS MADE FROM PERSONAL ACCOUNT -$10,000.00
CHECK TO LACHLAN CAMPBELL +$800.00
Transfer to Emma's Earnings -$1,923.08
You've found an optional feature called Transparency Mode!
I admit, this is A LOT of information being made accessible. We at Hack Club (the nonprofit organization behind HCB, and the owner of the transactions above) have chosen to make our finances publicly available on the internet. You can read more about it here: https://blog.hcb.hackclub.com/posts/transparent-finances-opt...
That link (https://hcb.hackclub.com/hq/transactions) shows our donations and spending down to the cent since we believe donors deserve to know what their contributions are funding. As a nonprofit, you can talk about what you’re spending money on, but transparency in every transaction builds trust for supporters. This level of transparency is definitely atypical, and I can see why it may raise concerns.
Other organizations using HCB (such as Reboot) can choose to enable this feature too (it's off by default), and they're briefed on the potential risks and level of exposure to decide whether it's right for their organization/team. HCB supports 6.5k nonprofits, and roughly 64% of organizations have chosen to enable this feature.
> I see partial account numbers and other IDs/numbers that I assume you'd prefer not be public, regardless of how insensitive they may seem now.
> EXPENSIFY, INC. VALIDATION XXXXXX5987 THE HACK FOUNDATION +$0.89
Good catch! Thanks for flagging that verification deposit. I've pushed a fix here: https://github.com/hackclub/hcb/pull/12336
As for the account numbers (e.g. XXXXXX5987) visible in some transactions, these are our own defunct operating accounts, and we're aware they're out there on the internet. We have a new way of managing account numbers via Column.com, so these older transactions are less of a concern for me.
I very much appreciate you bringing these to my attention! We're always looking to improve, so I'd love to hear if you find anything else.