There are multiple MIPS systems. The early ones were like you described, with a distinct feeling of too much plastic. Newer ones (e.g. Integra) are much more seamless. There are also other companies doing different…
CSRF can compromise the non-mutating path as well to exfiltrate data, but the mutating path and non-mutating are different, hence the OPTIONS preflight required prior to sending mutating requests. The browser enforces…
All CORS does is allow for selective loosening of anti-CSRF controls. CORS is a mechanism for a service to tell a client “I’m CSRF-resistant” so that that the client doesn’t need to protect its user as tightly when…
CSRF exists as a consequence of insecure-by-default browser handling of cookies, whereby the browser sends the host’s cookies on requests initiated by a third-party script to the vulnerable host. If a script can fake…
You want lax for the intuitive behavior on navigation requests from other origins. Because there’s no assumption navigation get requests are safe, strict is available as the assumption-free secure option.
CSP is a defense in depth mechanism which can be (among other capabilities) used to preempt the capability of inline scripts. This mitigates rendering bypasses, in the event that unsafe rendering occurs. For example,…
> Similarly, why is an online event handler considered a security risk? I just don’t see the difference between that and using a named function? It is a vector for script injection, and should be disallowed with a…
Putting the blame on cyclists for dooring requires missing problems up the chain which cause them to be in the door zone. Road designs (marked bike lanes that are 80% or more in the door zone) and automotive traffic…
The implicit premise in this argument is that safety is an add-on that you buy or install like an antivirus package. If we designed to encourage less dangerous forms of transportation from the start, there may be cost…
The other part of this decision not to protect human-powered mobility (pedestrian, bicycle, wheelchair, etc.) is that we allow or encourage automotive traffic as a constant, and _then_ we choose not to protect people.…
I want to respond to this constructively, because you highlighted a useful interface I'd never taken note of previously; maybe we can focus this discussion on a technical level. Meanwhile, if you haven't had a positive…
As a heads up since you mentioned "class method syntax", methods are one of the most important places to have lexical `this` binding in many scenarios. Take the following example, which is a normal class method: >…
Forcing your children to eat things they aren't comfortable with is not a hack. Please do not do this. There is a significant difference between providing a positive environment for your child to encounter new foods and…
If I follow your statement, it doesn't appear correct. JS Promises are eager, and the work underlying the promise will begin executing prior to being awaited. Await is just blocking on that execution's resolution. //…
If you're not familiar with the term, this image viewer pattern is generally called a lightbox rather than a carousel. I generally don't see the two used interchangeably, but there's similarity to the prev/next…
Since you provided a concrete scenario, I should probably do the same to clarify what I'm referring to in re-parenting or hoisting hooks. It doesn't really map to the statement "replace a global store with localized…
That's not a bug with hooks, but almost a complete misunderstanding of how hooks work (*on the part of anyone who writes that code thinking it will behave otherwise). Hooks are effectively instantiated on a specific…
It sounds like you're talking about network resolved state. I like to share this sort of state using a subscription model, where components subscribe to a property of a state root (which anchors/owns the state and how…
One of the problems Redux is used to solve (as a global store) is peace of mind that you won't need to refactor large swathes of component trees to reparent state and callbacks that need to be shared or persisted across…
I feel compelled to step in here and hopefully provide some insight on what that report means, because it doesn't appear to be what you implied. * Edit: The header image failed to load for me and complicates much of…
And options help with solidifying input contract as well as the output. Knowing what's an acceptable input via a type system is just as relevant as knowing what is a potential output.
Looks like an interesting project. I know the website isn't responsive, but adjusting the current meta viewport declaration would go a long way while you're working on a full solution. The minimum zoom of 1 makes it…
If seems like you discount portability as a concern, and if that's appropriate for your use case, that's a fair decision of course. But there are many use cases for which that's a priority. The concern the BEM and…
If you build sites that can support arbitrary viewports, extrapolating to arbitrary scaling factors on a given concrete viewport does not create an explosion of scenarios to manually test -- all you need to know is that…
I've written a series of very similar articles, and seeing as some of the ones in this site don't seem to be available yet, and otherwise as another point of view, they may be of interest to anyone looking at this:…
There are multiple MIPS systems. The early ones were like you described, with a distinct feeling of too much plastic. Newer ones (e.g. Integra) are much more seamless. There are also other companies doing different…
CSRF can compromise the non-mutating path as well to exfiltrate data, but the mutating path and non-mutating are different, hence the OPTIONS preflight required prior to sending mutating requests. The browser enforces…
All CORS does is allow for selective loosening of anti-CSRF controls. CORS is a mechanism for a service to tell a client “I’m CSRF-resistant” so that that the client doesn’t need to protect its user as tightly when…
CSRF exists as a consequence of insecure-by-default browser handling of cookies, whereby the browser sends the host’s cookies on requests initiated by a third-party script to the vulnerable host. If a script can fake…
You want lax for the intuitive behavior on navigation requests from other origins. Because there’s no assumption navigation get requests are safe, strict is available as the assumption-free secure option.
CSP is a defense in depth mechanism which can be (among other capabilities) used to preempt the capability of inline scripts. This mitigates rendering bypasses, in the event that unsafe rendering occurs. For example,…
> Similarly, why is an online event handler considered a security risk? I just don’t see the difference between that and using a named function? It is a vector for script injection, and should be disallowed with a…
Putting the blame on cyclists for dooring requires missing problems up the chain which cause them to be in the door zone. Road designs (marked bike lanes that are 80% or more in the door zone) and automotive traffic…
The implicit premise in this argument is that safety is an add-on that you buy or install like an antivirus package. If we designed to encourage less dangerous forms of transportation from the start, there may be cost…
The other part of this decision not to protect human-powered mobility (pedestrian, bicycle, wheelchair, etc.) is that we allow or encourage automotive traffic as a constant, and _then_ we choose not to protect people.…
I want to respond to this constructively, because you highlighted a useful interface I'd never taken note of previously; maybe we can focus this discussion on a technical level. Meanwhile, if you haven't had a positive…
As a heads up since you mentioned "class method syntax", methods are one of the most important places to have lexical `this` binding in many scenarios. Take the following example, which is a normal class method: >…
Forcing your children to eat things they aren't comfortable with is not a hack. Please do not do this. There is a significant difference between providing a positive environment for your child to encounter new foods and…
If I follow your statement, it doesn't appear correct. JS Promises are eager, and the work underlying the promise will begin executing prior to being awaited. Await is just blocking on that execution's resolution. //…
If you're not familiar with the term, this image viewer pattern is generally called a lightbox rather than a carousel. I generally don't see the two used interchangeably, but there's similarity to the prev/next…
Since you provided a concrete scenario, I should probably do the same to clarify what I'm referring to in re-parenting or hoisting hooks. It doesn't really map to the statement "replace a global store with localized…
That's not a bug with hooks, but almost a complete misunderstanding of how hooks work (*on the part of anyone who writes that code thinking it will behave otherwise). Hooks are effectively instantiated on a specific…
It sounds like you're talking about network resolved state. I like to share this sort of state using a subscription model, where components subscribe to a property of a state root (which anchors/owns the state and how…
One of the problems Redux is used to solve (as a global store) is peace of mind that you won't need to refactor large swathes of component trees to reparent state and callbacks that need to be shared or persisted across…
I feel compelled to step in here and hopefully provide some insight on what that report means, because it doesn't appear to be what you implied. * Edit: The header image failed to load for me and complicates much of…
And options help with solidifying input contract as well as the output. Knowing what's an acceptable input via a type system is just as relevant as knowing what is a potential output.
Looks like an interesting project. I know the website isn't responsive, but adjusting the current meta viewport declaration would go a long way while you're working on a full solution. The minimum zoom of 1 makes it…
If seems like you discount portability as a concern, and if that's appropriate for your use case, that's a fair decision of course. But there are many use cases for which that's a priority. The concern the BEM and…
If you build sites that can support arbitrary viewports, extrapolating to arbitrary scaling factors on a given concrete viewport does not create an explosion of scenarios to manually test -- all you need to know is that…
I've written a series of very similar articles, and seeing as some of the ones in this site don't seem to be available yet, and otherwise as another point of view, they may be of interest to anyone looking at this:…