Wow did not realize a url could be set like that without promoting a page reload...
To be clear only the path and query parameters part of the url can change, the domain (or sub domain) stays intact.
Readit Newsnotnullorvoid commented on We pwned X, Vercel, Cursor, and Discord through a supply-chain attack gist.github.com/hackermon... · Posted by u/hackermondev
For Coinbase docs, this is a disaster particularly
By they looks of it their docs are under a subdomain, and no part of the domain can be changed when setting the url this way. So it would still look a little out of place at least.
How do you modify the url exactly?
`history.replaceState(null, "", "/login")`
No it would not have been.
This specific XSS vulnerability may not have been, but the linked RCE vulnerability found by their friend https://kibty.town/blog/mintlify/ certainly would've been worth more than the $5,000 they were awarded.
A vulnerability like that (or even a slightly worse XSS that allowed serving js instead of only svg) could've let them register service workers to all visiting users giving future XSS ability at any time, even after the original RCE and XSS were patched.
Doesn't stealing the cookies/token require a non-HTTP-only session cookie or a token in localstorage? Do you know that Discord puts their secrets in one of those insecure places, or was it just a guess?
I believe if you always keep session cookies in secure, HTTP-only cookies, then you are more resilient to this attack.
I interviewed frontend devs last year and was shocked how few knew about this stuff.
In general if a script can run, users sessions and more importantly passwords are at risk.
It's true that an HTTP-only session cookie couldn't be directly taken, but it's trivial to present the user with a login screen and collect their password (and OTP), at which point you can easily get a session remotely. It can look entirely like the regular login page right down to the url path (because the script can modify that without causing a page load).
notnullorvoid commented on Pricing Changes for GitHub Actions resources.github.com/acti... · Posted by u/kevin-david
I LOVE gitlab, but their new pricing is absurd. It feels like they are trying to shovelware their AI stuff. Their cheapest plan is more than 7x the cost of github, AND more expensive than github enterprise! And thats on the _cheapest_ non free gitlab plan.
If you self host gitlab entirely, you can't even get branch/force-push protection. If they could bring their pricing to even just 2x github by having a NON-AI plan, I would purchase again in a heartbeat.
I had to go check to see what their pricing was, and I couldn't believe it. The base tier was $4/month, now that tier is gone and the premium tier is 2x what it used to be only 5 years ago.
notnullorvoid commented on Problems with D-Bus on the Linux desktop blog.vaxry.net/articles/2... · Posted by u/LorenDB
I was under the impression that the security concerns there are handled by AppArmor and SELinux (though maybe not granular access control to secrets). Which all desktop Linux installs should be using one or the other, because there's much more than just D-Bus that can be a security risk.
notnullorvoid commented on The Tor Project is switching to Rust itsfoss.com/news/tor-rust... · Posted by u/giuliomagnifico
Do you have a source for that?
Because esbuild is Go. tac was TypeScript and will be Go. Bun is Zig.
Come to think of it. I don't use a single Rust tool for the web. node is c++. deno breaks too much.
So, do you have a source for your claim?
Transpilers: SWC, Oxc
Linters/Formatters: DPrint, deno lint, Biome, Oxlint, Oxfmt
Bundlers: Rolldown (replacing esbuild in Vite), Rspack, Turbopack, and certain components of Parcel
All built with Rust
notnullorvoid commented on The Tor Project is switching to Rust itsfoss.com/news/tor-rust... · Posted by u/giuliomagnifico
Obviously, C# is one of Microsoft's flagship language along with TypeScript.
So it's expected to be frequently mentioned there.
Sure, and Rust is the most used language for modern TS/JS tooling, outside of TS/JS. There would have been substantial ecosystem benefits had Rust been chosen.
notnullorvoid commented on The Tor Project is switching to Rust itsfoss.com/news/tor-rust... · Posted by u/giuliomagnifico
Not your parent commenter but:
> You can frame that as an architectural concern...
"Go also offers excellent control of memory layout and allocation (both on an object and field level) without requiring that the entire codebase continually concern itself with memory management."
"The TypeScript compiler's move to Go was influenced by specific technical requirements, such as the need for structural compatibility with the existing JavaScript-based codebase, ease of memory management, and the ability to handle complex graph processing efficiently. "
If memory management and ability to handle complex graph processing efficiently isn't related to architecture to you I don't know what to tell you.
[0] https://github.com/microsoft/typescript-go/discussions/411
> The cult is in your imagination.
CTRL+F "rust" on the Go issue and see how many results you get. 31 for me and that's before expanding spam.
> If memory management and ability to handle complex graph processing efficiently isn't related to architecture to you I don't know what to tell you.
Rust can do complex graph processing, as well as efficient easy memory management, but it's going to do it in a different structure than a GCed lang would. Hence my statement that 1 to 1 translation was the primary factor.
> CTRL+F "rust" on the Go issue and see how many results you get.
Yes and so what? There's 35 for .NET or 74 for C#, yet you don't see people claiming the C# cult was harassing the TS team.