Hacker News: maxwellg

New comment by maxwellg in "ChatGPT won't let you type until Cloudflare reads your React state"

maxwellg — Mon, 30 Mar 2026 01:19:42 +0000

Wouldn't a browser that doesn't execute JS also not execute the browser fingerprinting code in the first place?

New comment by maxwellg in "Chrome DevTools MCP (2025)"

maxwellg — Mon, 16 Mar 2026 00:55:29 +0000

Is your agent harness dropping the entire MCP server tool description output directly into the context window? Is your agent harness always addig MCP servers to the context even when they are not being used?

MCP is a wire format protocol between clients and servers. What ends up inside the context window is the agent builder's decision.

New comment by maxwellg in "London's most controversial cyclist"

maxwellg — Tue, 10 Feb 2026 19:09:55 +0000

Mikey might have a profit incentive at play, but let's be abundantly clear - the drivers he is catching are frequently flagrantly breaking the law and endangering both themselves and the people around them. I have a very hard time feeling sympathy for those who are unable or unwilling to operate a car safely on public roads.

New comment by maxwellg in "Donating the Model Context Protocol and establishing the Agentic AI Foundation"

maxwellg — Tue, 09 Dec 2025 21:53:33 +0000

> The only issue it solves is if you want to bring your own tools to an existing chatbot.

That's a phenomenally important problem to solve for Anthropic, OpenAI, Google, and anyone else who wants to build generalized chatbots or assistants for mass consumer adoption. As well as any existing company or brand that owns data assets and wants to participate as an MCP Server. It's a chatbot app store standard. That's a huge market.

New comment by maxwellg in "Waymo robotaxis are now giving rides on freeways in LA, SF and Phoenix"

maxwellg — Wed, 12 Nov 2025 18:21:50 +0000

I've also had drivers do 50+ in residential areas, run red lights, play on their phones, cut off pedestrians in crosswalks, and once even park in a handicap spot at a gas station to buy cigs with me left in the back seat. If I was guaranteed a driver that could obey the traffic laws, I'd be happy to continue taking Ubers. That hasn't been the case.

New comment by maxwellg in "MCP-Scanner – Scan MCP Servers for vulnerabilities"

maxwellg — Mon, 27 Oct 2025 20:45:03 +0000

The initial remote MCP specification was pretty painful, but the June spec and the upcoming November spec are much more workable - MCP auth is (mostly) just OAuth now. MCP Clients are OAuth clients and can be granted access tokens and managed just like any other 3rd party app integration.

I'd love to hear more about the specific issues you're running into with the new version of the spec. (disclaimer - I work at an auth company! email in bio if you wanna chat)

Show HN: ChatGPT Tamagochi Pet Using Apps SDK

maxwellg — Fri, 10 Oct 2025 21:19:41 +0000

Article URL: https://chatagotchi.app/

Comments URL: https://news.ycombinator.com/item?id=45543906

Points: 1

# Comments: 0

New comment by maxwellg in "Gem.coop"

maxwellg — Mon, 06 Oct 2025 17:33:11 +0000

Ironic that DHH is politically active enough that it affects his day to day activities and public perception of his company - kind of the exact opposite of his own policy he expects his employees to abide by.

New comment by maxwellg in "Selling Lemons"

maxwellg — Tue, 30 Sep 2025 17:56:10 +0000

I’ve bought several of the WAOAW sleep masks as well. They’re great for the price point - I have a nasty habit of forgetting them in hotel beds though. I tend to go through one every few years or so. My wife enjoys hers as well.

Has anyone bought the third brand to round out the discussion?

New comment by maxwellg in "Tell HN: Phishing campaign claiming to be GitHub Developer Fund"

maxwellg — Sat, 20 Sep 2025 00:44:00 +0000

The innocuous https://grants.github.com/apply URL goes to a completely different site. Sneaky sneaky.

New comment by maxwellg in "Our data shows San Francisco tech workers are working Saturdays"

maxwellg — Mon, 08 Sep 2025 17:28:48 +0000

I should caveat this by saying this is certainly not 9/9/6, yeesh. Weekdays are fuzzy but never 12 hour days. Do you count going to a meetup after hours as work? A dinner with a prospect? Early coffee with a coworker? Saturdays or Sundays are maybe two or three hours at the most.

New comment by maxwellg in "Our data shows San Francisco tech workers are working Saturdays"

maxwellg — Mon, 08 Sep 2025 17:22:07 +0000

Of course we are! This year has been the most exciting (and fun!) of my career in the Bay. There is so much to do and so much going on. Things that were impossible a year ago suddenly feel imminent. Nobody is forcing (or really even asking) me to work on the weekends but if I have an interesting idea bouncing around in my brain I'm not going to wait to Monday to play around with it.

New comment by maxwellg in "Web Bot Auth"

maxwellg — Thu, 28 Aug 2025 22:07:16 +0000

Cloudflare is only the first to market with a solution. If this proposal catches on every WAF vendor under the sun will have it implemented before the next sales cycle. Enforcement of this standard will be commoditized down to nothing.

New comment by maxwellg in "Kiwi.com flight search MCP server"

maxwellg — Wed, 27 Aug 2025 18:54:00 +0000

It cracks me up to no end how the dev tools are much better MCP clients than the web chatbots. Claude Code is so _so_ much better at MCP than Claude Web, which has issues with managing DCR client state, is comparatively terrible at surfacing debug information up, doesn't let regular users see under the hood at how tools are described or called, etc.

Using Claude Code or your IDE of choice to book a hotel is a fun unintended side effect of this.

New comment by maxwellg in "An illustrated guide to OAuth"

maxwellg — Mon, 25 Aug 2025 16:52:38 +0000

I would also recommend the OAuth 2.1 IETF draft as a precursor to the BCP: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-...

Although it isn't a published RFC yet, it intends to replace several sometimes-conflicting previous RFCs + the BCP with a single document.

New comment by maxwellg in "Everything I know about good API design"

maxwellg — Sun, 24 Aug 2025 23:09:17 +0000

Refresh tokens are only really required if a client is accessing an API on behalf of a user. The refresh token tracks the specific user grant, and there needs to be one refresh token per user of the client.

If a client is accessing an API on behalf of itself (which is a more natural fit for an API Key replacement) then we can use client_credentials with either client secret authentication or JWT bearer authentication instead.

New comment by maxwellg in "Vendors that treat single sign-on as a luxury feature"

maxwellg — Tue, 19 Aug 2025 22:52:54 +0000

Many "softer" forms of SSO have trickled down too. Google + Microsoft OAuth are ubiquitous today without any upchage. OAuth from a Google Workspace account managed by an IT admin has many of the same security guarantees as SAML or OIDC from a Google Workspace account, at least for a small player. There are some sketches like https://easie.dev/ that explore this further.

New comment by maxwellg in "Vaultwarden commit introduces SSO using OpenID Connect"

maxwellg — Fri, 15 Aug 2025 20:27:07 +0000

For extra security, an intermediary can set Content Security Policy (CSP) headers that instruct browsers to only connect to certain domains. CSP headers aren't a total solution, but they're a good tool in the toolkit for redundancy against exfiltration.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...

New comment by maxwellg in "Vaultwarden commit introduces SSO using OpenID Connect"

maxwellg — Fri, 15 Aug 2025 20:24:47 +0000

SSO chaining is super common in large corporate environments. Different orgs might have their own SSO IDP, acquisitions often bring their own, etc. Once a provider is in use, it is quite difficult to tear out later while keeping everyone in their proper accounts in all the apps that tie in. Many apps are really bad at SSO migrations, or deduplicating multiple SSO identities to a single user account.

New comment by maxwellg in "The Missing Protocol: Let Me Know"

maxwellg — Tue, 12 Aug 2025 21:28:44 +0000

This is conceptually extremely similar to the Web Push API: https://web.dev/articles/push-notifications-web-push-protoco...

You'd need something at the browser/UA level to unsubscribe or to make the subscription exist for only a single message. Bad content publishers have taught us to never allow Web Push notifications since they always get inundated with marketing and other nonsense - being able to bake protections against that into the spec could be interesting.