<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: cxr</title><link>https://news.ycombinator.com/user?id=cxr</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Fri, 10 Jul 2026 18:35:22 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=cxr" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by cxr in "Datasette Apps: Host custom HTML applications inside Datasette"]]></title><description><![CDATA[
<p>> Would moving the untrusted content to be served from a separate domain entirely close the hole?<p>Yes.</p>
]]></description><pubDate>Sun, 21 Jun 2026 19:55:20 +0000</pubDate><link>https://news.ycombinator.com/item?id=48622045</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48622045</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48622045</guid></item><item><title><![CDATA[New comment by cxr in "Datasette Apps: Host custom HTML applications inside Datasette"]]></title><description><![CDATA[
<p>> That's why I'm careful not to include allow-same-origin in the sandbox attribute<p>It doesn't matter.  I just said there is no combination of CSP or the iframe sandbox attribute that can be relied upon here.</p>
]]></description><pubDate>Sun, 21 Jun 2026 09:14:34 +0000</pubDate><link>https://news.ycombinator.com/item?id=48617086</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48617086</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48617086</guid></item><item><title><![CDATA[New comment by cxr in "Datasette Apps: Host custom HTML applications inside Datasette"]]></title><description><![CDATA[
<p>> <iframe sandbox=""> - which really is designed to be used as a sandbox<p>Not for untrusted content living on the same origin to prevent it from exercising any of the powers that it would ordinarily have to be able to access sensitive data.  It's a misleading name and shouldn't have been chosen.  There is no combination of CSP or the iframe sandbox attribute that can be relied upon for that purpose.  This is a fundamental limitation of the way the specs were written.<p>(There needs to be a big warning about this on MDN, but moving from the old wiki to a wiki with GitHub for login to the GitHub-based pull request process really didn't help the there's-a-problem-on-this-page-but-limited-resources-to-make-things-better problem.)</p>
]]></description><pubDate>Sat, 20 Jun 2026 14:15:02 +0000</pubDate><link>https://news.ycombinator.com/item?id=48609388</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48609388</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48609388</guid></item><item><title><![CDATA[New comment by cxr in "Datasette Apps: Host custom HTML applications inside Datasette"]]></title><description><![CDATA[
<p>CSP is optional and designed to be one part of a defense-in-depth strategy (to extent that it was thoughtfully designed at all—it's an awful standard that should not have made it past proposal stage).  It's not a solution for sandboxing untrusted content and should not be relied upon that way.  Treating it like one is a great demonstration of how some uses of CSP make people more vulnerable.</p>
]]></description><pubDate>Fri, 19 Jun 2026 17:29:37 +0000</pubDate><link>https://news.ycombinator.com/item?id=48600899</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48600899</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48600899</guid></item><item><title><![CDATA[New comment by cxr in "NetNewsWire Status"]]></title><description><![CDATA[
<p>A lot of people don't get podcasts.  They think it's a genre (and that it applies to the show(s) they watch on YouTube).<p>For a large segment, telling them that a feed reader is for podcasts but for reading will just elicit a "what?"</p>
]]></description><pubDate>Fri, 19 Jun 2026 12:51:10 +0000</pubDate><link>https://news.ycombinator.com/item?id=48597991</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48597991</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48597991</guid></item><item><title><![CDATA[New comment by cxr in "The Birth and Death of JavaScript (2014)"]]></title><description><![CDATA[
<p>It's no use being pedantic if you're not going to be correct.<p>> This is a pedantic point, but that's not really what the definition of compiler is as much as a common understanding of it. By definition, it just translates one language into another<p>The history and etymology doesn't support that definition, either; that's just another "common [mis]understanding" of the term.  It's in the name.  A compiler produces a compilation—an aggregate of multiple subroutines, including user-supplied ones and some by the system/programming environment, transformed into a single program for a given target.<p>(You're describing the process of "autocoding", a job that every compiler does, and a term that predates "transpiler" but that no one uses because they favor stretching the more frequently encountered term "compiler" for their use case.)</p>
]]></description><pubDate>Sun, 14 Jun 2026 14:45:11 +0000</pubDate><link>https://news.ycombinator.com/item?id=48527709</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48527709</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48527709</guid></item><item><title><![CDATA[New comment by cxr in "Chibil: A C compiler targeting .NET IL"]]></title><description><![CDATA[
<p>The creator of lcc also published a paper "lcc.NET: targeting the .NET
Common Intermediate
Language from Standard C" (2004).<p><<a href="https://drh.github.io/documents/msil-spe.pdf" rel="nofollow">https://drh.github.io/documents/msil-spe.pdf</a>><p>One problem with lcc has always been that it's distributed as source available with restrictions and has never been available under a FOSS license.</p>
]]></description><pubDate>Sun, 31 May 2026 17:28:06 +0000</pubDate><link>https://news.ycombinator.com/item?id=48347598</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48347598</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48347598</guid></item><item><title><![CDATA[New comment by cxr in "Build Adafruit projects right from Firefox"]]></title><description><![CDATA[
<p>> You seem very angry and I clearly don't understand what you are talking about.<p>Luckily you managed to frame it so that the failure comes across like something that I got wrong and messed up and am responsible for, and that's the most important thing.</p>
]]></description><pubDate>Sat, 30 May 2026 20:20:56 +0000</pubDate><link>https://news.ycombinator.com/item?id=48340237</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48340237</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48340237</guid></item><item><title><![CDATA[New comment by cxr in "Build Adafruit projects right from Firefox"]]></title><description><![CDATA[
<p>> Unfortunately Firefox doesn't support the FileSystem API so to do this you need to resort to uploading the entire source code directory each time you change a source file.<p>Right, it's so much less onerous to have people download and set up an entirely separate fickle toolchain—and needing to trust that the install triggers in the package.json of some transitive dependency won't exfiltrate your personal data or install some nefarious ineradicable background service onto your system, versus the two extra clicks you'd have to subject yourself to if you wanted to re-run the build.*<p>Wait, no.<p>> people [are] forced to ship "Chrome-based only" features<p>No they're not.  By your own admission they could make their build scripts work with the standardized HTML5 APIs that are well-supported in all major browsers.  They choose not to.<p>And you're not really responding to the substance, anyway—which is that JS programmers (frequently writing for browser runtimes, even) require that you install NodeJS, Bun, or Deno (because they hardcode the build scripts internals against one of those runtime's APIs).  If programmers really were writing build scripts that you could run in Chrome but unfortunately not Firefox, then even that would be an improvement over the status quo.  But that's not what we're talking about, because that's not happening.<p>* most of which are destined to be one-shot executions, anyway</p>
]]></description><pubDate>Mon, 25 May 2026 03:57:23 +0000</pubDate><link>https://news.ycombinator.com/item?id=48263274</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48263274</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48263274</guid></item><item><title><![CDATA[New comment by cxr in "Build Adafruit projects right from Firefox"]]></title><description><![CDATA[
<p>That's a start at improving something.  But it won't rid itself of the Playskool/Fisher-Price gimmick factor or have any lasting effect until we can convince JS developers to write their own tools in a standards-compliant dialect and use standardized APIs so that contributors can use the runtime they already have installed instead of being cajoled and browbeaten into installing NodeJS or Bun or Deno or whatever to do what the browser runtime is perfectly capable of: opening a project directory, executing the code comprising the build script, and outputting the build artifacts when it's done.</p>
]]></description><pubDate>Sun, 24 May 2026 18:04:09 +0000</pubDate><link>https://news.ycombinator.com/item?id=48259579</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48259579</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48259579</guid></item><item><title><![CDATA[New comment by cxr in "Moving away from Tailwind, and learning to structure my CSS"]]></title><description><![CDATA[
<p>What?</p>
]]></description><pubDate>Sun, 17 May 2026 17:51:39 +0000</pubDate><link>https://news.ycombinator.com/item?id=48171276</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48171276</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48171276</guid></item><item><title><![CDATA[New comment by cxr in "The Third Hard Problem"]]></title><description><![CDATA[
<p>This is an independent riff on an argument Ted Nelson wrote down 50 years ago (and the reason why he coined the term "hypertext").<p><<a href="https://en.wikipedia.org/wiki/Computer_Lib/Dream_Machines" rel="nofollow">https://en.wikipedia.org/wiki/Computer_Lib/Dream_Machines</a>><p><<a href="http://link.springer.com/10.1007/978-3-319-16925-5" rel="nofollow">http://link.springer.com/10.1007/978-3-319-16925-5</a>></p>
]]></description><pubDate>Sun, 17 May 2026 14:12:55 +0000</pubDate><link>https://news.ycombinator.com/item?id=48169089</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48169089</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48169089</guid></item><item><title><![CDATA[New comment by cxr in "Moving away from Tailwind, and learning to structure my CSS"]]></title><description><![CDATA[
<p>> the class="" property is in the HTML and that is the styling info<p>The class attribute (not "property") is in the HTML because it's part of HTML.  It's markup.  Element classes weren't created either by or for the CSS people when CSS came along.  The class attribute predates CSS by years and has no more relation to "styling info" than the id attribute does.</p>
]]></description><pubDate>Sun, 17 May 2026 13:50:10 +0000</pubDate><link>https://news.ycombinator.com/item?id=48168913</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48168913</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48168913</guid></item><item><title><![CDATA[New comment by cxr in "Show HN: Epiq – Distributed Git based issue tracker TUI"]]></title><description><![CDATA[
<p>> How can the browser execute git commands from opening a local html file?<p>It can't.  The CONTRIBUTING.html shell would spit out a file and tell the user what Git commands need to be run—just like project READMEs (or landing pages like jekyllrb.com) show which commands will install the tool.</p>
]]></description><pubDate>Sat, 16 May 2026 20:53:27 +0000</pubDate><link>https://news.ycombinator.com/item?id=48163707</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48163707</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48163707</guid></item><item><title><![CDATA[New comment by cxr in "Show HN: Epiq – Distributed Git based issue tracker TUI"]]></title><description><![CDATA[
<p>I am one of ~3 people primarily responsible for the JS Reference as it appeared/appears on developer.mozilla.org since before NodeJS (or V8) ever existed.  I "know what JavaScript is".</p>
]]></description><pubDate>Sat, 16 May 2026 13:12:09 +0000</pubDate><link>https://news.ycombinator.com/item?id=48159974</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48159974</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48159974</guid></item><item><title><![CDATA[New comment by cxr in "Project Gutenberg – keeps getting better"]]></title><description><![CDATA[
<p>Like the Project Gutenberg collection on archive.org, the ZIMs are only current up to 2018.</p>
]]></description><pubDate>Sat, 16 May 2026 12:49:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=48159797</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48159797</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48159797</guid></item><item><title><![CDATA[New comment by cxr in "Show HN: Epiq – Distributed Git based issue tracker TUI"]]></title><description><![CDATA[
<p>There is no argument or insight in your comment.  It's physically possible to type in code that makes direct use of non-standard APIs that work in NodeJS but not the browser.  Pointing out that this is so and that there are people who do it is not the same as engaging with the subject of whether they ought not to—which was the point of the remarks you responded to.  Previously:<p>> <i>You're offering a retort to someone who is communicating their position that you ought not do something, where the retort consists of nothing more than explaining that people are doing it.  Yes, clearly.  But what the person you're responding to is arguing is that </i>you ought not do it.<i>¶ Consider[…]:</i><p>> <i>Person A: Here's little advice: don't take up smoking. Smoking is bad for you.</i><p>> <i>Person B: Yet people smoke</i><p><<a href="https://news.ycombinator.com/item?id=38712699">https://news.ycombinator.com/item?id=38712699</a>></p>
]]></description><pubDate>Sat, 16 May 2026 11:46:31 +0000</pubDate><link>https://news.ycombinator.com/item?id=48159302</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48159302</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48159302</guid></item><item><title><![CDATA[New comment by cxr in "Show HN: Epiq – Distributed Git based issue tracker TUI"]]></title><description><![CDATA[
<p>You don't need to put it on the Web to be able to leverage the World Wide Wruntime.<p>Epiq looks to be written in TypeScript and distributed as JS via NPM.  You know what excels at executing JS?  The browser.<p>If you want to actually address the usability problems—then create a CONTRIBUTING.html—linked from the README, that users are instructed to double-click to open (i.e. launch in the browser on any sanely configured system).  From there, they can/should be able to load the project either by pointing to it with a filepicker-based workflow that's the same as VSCode's "Open Folder…" workflow, or by dragging and dropping the source tree into the browser window.  If you do it right, then this should immediately present them with a browser-based UI for poring over and interacting with all the Epiq data in the repo—down to the Git commands to execute to integrate changes into the Epiq "database".<p>It's beyond baffling that so many programmers who are nominally JS developers thumb their noses at writing standards-compliant code and instead <i>insist</i> on coding directly against Node's proprietary APIs.</p>
]]></description><pubDate>Sat, 16 May 2026 04:57:09 +0000</pubDate><link>https://news.ycombinator.com/item?id=48156959</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48156959</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48156959</guid></item><item><title><![CDATA[New comment by cxr in "GitHub is sinking"]]></title><description><![CDATA[
<p>> DigitalOcean App platform[…] only connect to GitHub<p>They also support deployments from GitLab (so long as you're using the gitlab.com-hosted instance and not a self-hosted GitLab instance).  If you've deployed your own self-hosted forge, then you can connect DigitalOcean App Platform to it by using gitlab.com as a bridge—register an account on gitlab.com once and instruct your self-hosted forge to replicate copies to gitlab.com.  You don't really need to actually <i>use</i> GitLab.<p>Having said that, considering that DigitalOcean is in the business of selling IaaS/PaaS, it's loony that they don't let you connect to, say, your own self-hosted Forgejo running on their infrastructure…<p>(Indeed, considering how many people would like to self-host their own forge but how few people want to actually set up and do admin for it, it's loony that DigitalOcean doesn't pick up, say, Forgejo and/or an alternative and offer a sharply discounted (e.g. $20/year) quasi-managed one-click deployment option with first-class support for connecting to their App Platform.)</p>
]]></description><pubDate>Sun, 10 May 2026 19:45:48 +0000</pubDate><link>https://news.ycombinator.com/item?id=48087151</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48087151</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48087151</guid></item><item><title><![CDATA[New comment by cxr in "The agent principal-agent problem"]]></title><description><![CDATA[
<p>This post highlights but never explicitly addresses the current language trend that involves the corruption of the word "agent" to imply ChatGPT- and Anthropic-era AI.<p>It also speculates on the practices at Microsoft in its opaqueness but doesn't recognize the development methodology used for Linux despite its transparency or acknowledge how it differs from the pilloried code review that the audience is most familiar with—even though the kernel development project is the cradle for the VCS that everyone decided to use (but also to never use correctly).<p>Overall, there aren't really any insights here.  The solution described just highlights that high-trust teams are composed of members that (are|can be) trusted by one another.  But being on that kind of team is a luxury.  The introduction of coding agents doesn't change anything.  Take out the LLM-powered patch iteration, and it works for all the reasons it already worked before the advent of coding agents.  It's a little like the obliviousness-to-privilege of folks who try to address the problems of people who experience poverty with advice that reduces down to the question, "Have you tried <thing that precludes someone who is poor>?"</p>
]]></description><pubDate>Sun, 10 May 2026 12:31:28 +0000</pubDate><link>https://news.ycombinator.com/item?id=48083473</link><dc:creator>cxr</dc:creator><comments>https://news.ycombinator.com/item?id=48083473</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48083473</guid></item></channel></rss>