rwhitisissle @ rwhitisissle @lemmy.ml

Posts

0

Comments

343

Joined

2 yr. ago

Twitter is terrible for people like me. I like following interests: books, coding, landscape photography, linux, etc. Twitter is more about following people, and people have diverse interests. One thing I really liked about Reddit was that it had active subreddits dedicated to particular interests. You could just hang out in those subreddits and only ever interact with things on topic to said interests. Lemmy has a bit less of that, unless your interests are politics, linux, and programming, and shitty memes.

This demonstrates a profound misunderstanding of HTMX, and how websites in general operate. So much so that I would not hesitate to describe this as somewhere between a baldfaced lie and just malicious incompetence. You can't "invoke logic via HTML attributes," but you can describe it. HTMX is a client side javascript library that parses custom elements you define in your HTML and uses the data described by them to initiate AJAX calls via the fetch() or XMLHttpRequest browser APIs, which CSP explicitly covers via the connect-src directive: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src. It's literally just a javascript library that parses HTML and uses it to parameterize AJAX calls. If HTMX were somehow able to bypass CSP, then every single piece of clientside JavaScript in the world could violate it.

"Wow, these screen doors really suck. I've stuck them on my submarine, but they just don't keep the water out at all. Some people are going to say that I'm a fucking moron and don't understand the technology I use or that I'm too goddamn lazy to actually take the necessary steps to keep water out of my submarine, but I know they're wrong and it's the technology's fault."

In all seriousness, HTMX is a tool designed for a specific job. If you have an API that has either non-parameterized endpoints to hit or an endpoint that accepts a single integer value or UUID or....whatever to perform a database lookup and return stored values to be interpolated into the HTML that endpoint returns, then, great, you've got a lightweight tool to help do that in an SPA. If you're using it to send complex data that will be immediately and unsafely exposed to other users, then...that's not really what it's for. So, I think the core issue here is that you don't really understand the use case and are opposed to it because to use it in a way that is beyond or outside the scope of its established convention is unsafe without extra work involved to guarantee said safety. It also implies you are running a website with a content security policy that either explicitly allows the execution of unsafe inline scripts or which does not care about the sources to which a script connects, which is the only way you could realistically leverage HTMX for malicious ends. So, ultimately, the choice to not adopt comprehensive security measures is one you are free to make, but I wouldn't exactly go around telling people about it.

how HTMX works and what it does inherently bypasses CSP

Well, no, not really. All HTMX really does are AJAX requests to remote resources, which are performed by interpreting attributes in HTML. You specify the type of request and the target for updating. Those requests can sometimes contain parameters, of course, but any API that accepts any kind of conditional or user generated input has to sanitize that input before doing anything meaningful with it. This requirement isn't something particular to HTMX.

You fundamentally are invoking logic via HTML attributes, which bypasses CSP

This is not true, though. You are manipulating the DOM via HTMX, but CSP has nothing to do with dynamic content manipulation. CSP is more concerned with preventing the injection of malicious code. If what you're referring to, however, is the possibility of someone maliciously injecting HTML with HTMX that performs some nefarious action, then I have to ask (again) why you didn't properly sanitize user input or limit the possible connection sources in your CSP.

If you have a specific example, however, of a way in which HTMX by design violates CSP that can't be dismissed with "you coded your website poorly," I would love to know.

The Mummy

children's media

And then, later on, as they're watching some guy get hauled off by the police to get "reeducated" after getting upset at a waiter, Batman says to Justice Lord Batman, very sarcastically:

"Mom and Dad would be so proud."

I personally assumed they were rewriting it from C# because C# is complete ass that got destroyed by Microsoft's own insistence on feature creep. The language is a goddamn mess. That said, a ton of languages are a mess but they're even more baked into shit than C#. Like, Javascript is a bad language, but it'll probably always be around because....internet.

I know what 2 girls 1 cup is but I don't understand what else is being referenced in this image.

I think we're gonna have to agree to disagree on definitions. To me, and I believe, to most people, an SPA refers to a UI/UX design pattern that can be implemented with any number of underlying techniques. I would also say that the Wikipedia page for SPAs (on the assumption that wikipedia is a valid tool for establishing consensus for definitions) supports my definition:

A single-page application (SPA) is a web application or website that interacts with the user by dynamically rewriting the current web page with new data from the web server, instead of the default method of a web browser loading entire new pages.

There are various techniques available that enable the browser to retain a single page even when the application requires server communication.

And it goes on to list frameworks, AJAX, Websockets, etc.

A SPA is *generally *“rehydrated” DOM elements from JSON data pulled from an API though. Where as HTMX is more akin to classic AJAX style page dynamism.

You'll forgive me if I say this is an instance of splitting hairs and having a particular definition for something that includes extra qualities separate from what those terms are actually describing for most people. Also, things like, I dunno, React, are going to extensively use ajax to accomplish what they do. It's literally just asynchronous javascript. It's like someone saying "my vehicle of choice is a motorcycle" and then someone else saying "A motorcycle isn't really a vehicle. It's a transportation device with wheels. A car is a vehicle." They are both vehicles. They both have wheels. The wheels are ajax. A page made with htmx and a page made with React are both SPAs.

According to that article I'm gonna say a lot of that depends on how you feel about recreational ketamine usage. I don't know about you, but, uh....not my personal preference.

I just don't even know who would play these. They all look terrible.

HTMX comes with a variety of CSP options, though...

Where did I call it a framework?

Processes in most operating systems (I'll use Linux, because it's what I know and because...Lemmy) are organized in a tree like structure. There's some initial very low level code used to start the OS, and every other process spawns from that, which is to say they tell the operating system "Hey, please make this process I'm gonna tell you about - allocate resources for it, etc." The operating system creates it and binds that new child process to the first one. The process that spawned the other process is called its parent. The process that just got spawned is called a child. You could also call them root and leaf processes, I suppose, but nobody really does that. Sometimes you want to get rid of all the child processes a process spawns, but leave the running process intact. Sometimes you want to kill the process that spawned everything and also cleanup anything it might have created. There are lots of programming scenarios in which you might want to do either. It really depends on how your application is designed and what it's doing.

That all said, there's a command in Linux called "kill" and you can tell it the process id, process group id, etc. to kill a process or a process group. You can also manipulate what are called SIGNALS. Signals are a whole thing in Linux. They're basically small values you can send to processes at any time and the operating system forces the process to perform some action whenever it receives one of them. SIGTERM basically stands for "SIGNAL: TERMINATE PROCESS." So if you "trap" the SIGTERM, you can basically tell the operating system - whenever this parent process receives a SIGTERM, ignore it. The other processes in the process group - the child processes - all terminate, though, when they receive it.

Depends on whether or not you want to kill only the child processes of a parent process or if you want to kill the parent as well. To kill the parent and children, you can kill the entire process group, specifying the pgid in the kill command. To kill only the parent you can trap SIGTERM in the parent and then send SIGTERM to the process group.

One of the funniest advertisements I've seen on youtube was basically someone on tiktok going "Okay, I'm gonna try this game out called 'Insert Incredibly Generic Title Here'. Is it a fake game? Let's see." 10 seconds of them playing level 1: "okay, I blew up that barrel and got some coins. Looks like it's not a fake game." And that's the advertisement: Our game is a game that actually exists and isn't an appstore scam.

HTMX is great and is the only frontend development tool I don't absolutely loathe. It enables lightweight SPA development, and provides a very simple and efficient mechanism for doing HTML over the wire.

You're getting caught up on phrasing and nothing else. Let it go. "Intelligent design" as an ideology and describing something as "intelligently designed" are not the same thing. The core similarity is what I've already described. You want me to mean something beyond what I've stated because you're incapable of accepting what you read at face value. I have no interest in speaking further with someone without the intelligence to do something basic as understand the words they read.

Is this a change I'm too "command line" to care about?