Those of us who noticed when HailCorporate first got shadowbanned could see that particular train a coming. Reddit was always going to strangle its own content to death in order to make it more advertiser friendly. I’m honestly surprised it took as long as it did.
The advent of ChatGPT has made those obsolete, since ChatGPT is probably trained on all of those.
only on new reddit
It’s also blocked for old.reddit.com.
Yes, that will happen when the “problem” lives solely between your ears.
You are more than welcome to block any and all content from that instance. You can do this by going under your user settings and clicking on the “Blocks” tab and searching for lemmy.ml in the Block Instance section. That’s the thing about Federated content. You have the power to selectively engage with the content of your choosing. You don’t get to quarantine others because there is no centralized authority that gets to say “your instance gets stuck in an internet ghetto where it isn’t allowed to interact with other users.” You have to quarantine yourself by excluding content. If that doesn’t work for you, then maybe it’s less that you dislike their authoritarian ideology and more that it isn’t the same flavor as your own.
It’s the Vampire Castle phenomenon of online leftist spaces. One dev and instance admin of Lemmy has problematic personal beliefs, so now we aren’t allowed to be on Lemmy anymore because it’s failed an ideological purity test that OP decided for the rest of us. In other news, Jimmy Wales, the founder of Wikipedia, is a hardcore Ayn Rand style freemarket libertarian, so I guess we should all ditch wikipedia and each buy a 400 pound Encyclopedia Britannica set. Because that’ll show him to believe things I think are terrible.
Wow, reddit is actually up 23 percent year to date. Boy, if I needed any more evidence we were in an economic bubble than that…
U.S. court system: “Providing a trademark for these would be an instance of gross negligence and general abuse of copyright law to provide a corporation with no genuine claim to these references carte blanche use and legal guarantee of sole ownership of them. So we’re going to do that because we’re functionally an engine of capital and not actually a mechanism of justice.”
Oh boy a semantic argument
It turns out the language you use can be semantically ambiguous or misleading if you phrase it incorrectly. Today you learned.
And any web dev who remotely understands the point of CSP and why it was created, should instantly have alarm bells going off at the concept of triggering arbitrary ajax via html attributes.
Oh, did you finally manage to fucking Google how HTMX works so you could fish for more reasons to say it’s unsafe? What you’re describing is not a particular concern to HTMX. If an attacker can inject HTML into your page (for example, through an XSS vulnerability), they could potentially set up HTMX attributes to make requests to any endpoint, including endpoints designed to collect sensitive information. But, and this is very important, this is not a unique issue to HTMX; it’s a general security concern related to XSS vulnerabilities and improper CSP configurations.
Do you know what the correct cure for that is?
PROPER CSP CONFIGURATION.
“HTMX doesn’t bypass CSP! It just (proceeds to describe the exact mechanism by which it bypasses CSP)”
Do you genuinely not understand that CSP works on the browser API level? It doesn’t check to see if your JavaScript contains reference to disallowed endpoints and then prevents it from running. I don’t know how you “think” CSP operates, but what happens is this: The browser exposes an API to allow JavaScript to make HTTP requests - specifically XMLHttpRequest and fetch(). What CSP does is tell the browser “Hey, if you get an API request via XMLHttpRequest or fetch to a disallowed endpoint, don’t fucking issue it.” That’s it. HTMX does not magically bypass the underlying CSP mechanism, because those directives operate on a level beyond HTMX’s (or any JS library’s) influence BY DESIGN. You cannot bypass if it if’s properly configured. Two very serious questions: what part of this is confusing to you? And, have you ever tested this yourself in any capacity to even see if what you’re claiming is even true? Because I have tested it and CSP will block ANY HTMX issued request that is not allowed by CSP’s connect-src directive, assuming that’s set.
CSP works on the browser API level - all HTMX does is what you could do yourself with any AJAX: send an HTTP request to an endpoint. If the CSP disallows that endpoint, it will fail.
Removed by mod
Just to be clear, are you talking about some kind of templating library that literally transpiles all the htmx logic and instead packs it into individual ajax logic in js files “per element”, such that you don’t need to serve htmx client side and instead you pre-transpile all the ajax logic out to separate files?
My brother in Christ, what the fuck are you talking about “transpiling HTMX” and “serving HTMX client side?” You don’t “serve” HTMX and there’s nothing to “transpile into JavaScript.” It is JavaScript. That’s like saying you “serve React client side” and “transpile JavaScript into more JavaScript.” Jesus, I feel like I’m taking crazy pills.
Cause the very start of my statements was that if we had something like that then HTMX would be fine, as a templating lib that transpiled out to html+js.
Oh, okay, so you don’t actually know what HTMX is or how it works, then? Because HTMX (https://htmx.org/) is a JavaScript library. Like, literally just a JavaScript library. It’s like…4000 lines of JavaScript. In fact you can read the source code for it here: https://github.com/bigskysoftware/htmx/blob/master/src/htmx.js. For some…insane reason you seem to think HTMX is its own language. It’s not. It’s…just a JavaScript library. There is no other language called HTMX. There is no other mechanism or tool called HTMX. No implementation or protocol or ANYTHING else. It’s just a small JavaScript library.
invoke arbitrary logic with html attributes
Once again, HTMX enhances HTML with various attributes declaratively. It utilizes custom data attributes in HTML (like hx-get, hx-post) to specify how elements on the page should behave - essentially, how and where to fetch data or submit forms without a full page reload. This is a form of declarative programming that tells the htmx.js library (which is just doing fucking AJAX) what to do when certain events occur (e.g., a click or a form submission). The actions (like the actual requesting of data from an endpoint) are performed by the code in htmx.js.
This is a fancy way of saying “if you stick an hx-get attribute on a button, then you can just say where you want a GET request to go to and what element you want updated with the HTML returned from it and htmx.js will parse that out on page load and set an event listener for the button click to know when to initiate an AJAX request to the defined endpoint.” If you had an hx-get attribute in an element in a page and that page didn’t have the htmx.js library loaded it would do literally nothing.
And, once again, HTMX, being a JavaScript library, operates under the same security constraints as any JavaScript executed in the browser. This means that:
HTMX enables arbitrary invocation of ANY api endpoint with cookies included, through html attributes, which inherently can’t be covered by Content Security Policy
I want you to please explain how HTMX bypasses the Content Security Policy connect-src directive, or any -src directive, for that matter, assuming it is specified (which it should be). Because I’m genuinely curious why the HTMX dev team would include a section on CSP in their docs if it did literally nothing, as you say.
Actually, as an even more basic question…you do know that HTMX is literally just an AJAX library, right? It doesn’t actually “do” anything via HTML attributes. The additional HTMX attributes, like hx-get, hx-post, etc. just tells HTMX where and how to make the API requests. These requests are executed by the browser’s native fetch or XMLHttpRequest APIs, depending on compatibility and implementation. Therefore, HTMX is subject to the same security constraints and policies as any other JavaScript-based operation that makes HTTP requests. Which also, by definition, means that it adheres to the Content Security Policy directives configured for that website.
In other words, an HTML button element with hx-get=“https://www.some-endpoint.com/” on it would eventually translate into
const xhr = new XMLHttpRequest();
xhr.open("GET", "https://www.some-endpoint.com/");
xhr.send();
on click.
You do understand that, right?
“Billionaire has shitty beliefs. In other news, the weather in London is still complete ass.”
The preferred term is NaMP - Not a Magical Person/Non-Magical Person. You could also say “Person of Non-Magic,” but it’s hard to pronounce “ponm.”
number puzzles that need to be solved.
In JK Rowling’s mind the number puzzles are things like “How many genders are there?”
The correct answer, of course, is “Fuck you, JK Rowling, that’s how many.”
deleted by creator
That would be reasonable, I think. As you drill down into reply threads comments tend to become more focused on particular topics of conversation, in my experience, and so the size of any given reply might reasonably diminish.
Hmmm, not really. Rather, the community is specifically focused around conversation. But a different type of conversation. Typical internet conversations on reddit (and a lot of other places), especially over the last several years, seem to mainly occur in short bursts and at a fairly superficial level. The kind of community I’m envisioning is one in which there’s a central topic or theme (such as film), but it focuses on fairly deep or complex conversations. If someone wants to respond to a comment made by another user, it’d typically be point by point with supporting evidence and argumentation. Or at least a well reasoned perspective. An okay, if not spectacular, example would be this post on reddit from a couple of years ago on r/TrueFilm (https://www.reddit.com/r/TrueFilm/comments/khlrnv/a_brief_rant_about_my_cinema_students_and/). The post itself is a few hundred words and focuses on a central concept or observation made by the OP. Most top level comments are a paragraph or two. There are brief responses in the individual comment threads, but the actual discussion is fairly robust and provides new ideas and perspectives beyond just people saying “lmao same” or similarly useless comments.
It’s good for python stuff, specifically, potentially because python as a language is the closest we have to a natural, descriptive programming language, and as an LLM that might make connections between functional behavior and language easier. That said, it sometimes tells you to do things that won’t work because the libraries you’re using have some specific incompatibility issues between them and the only way you can find out is via github issue discussions.