This extension is trivially vulnerable to XSS - anyone can write javascript in their HN bio and it will execute in your logged-in context if you mouse over their profile. Here's the relevant code:
But first disclaimer - I’m not saying this is why the extension was developed, or, that this is the reason OP points the vulnerability. I’m 99.999% certain this is a random case, but it is a good learning case nonetheless.
Rabbits.
Sometime in life people say things they regret. Or, they don’t regret, but their self interest is better served if no one knew they said said thing, or it is that they just worry Harvey might be offended and their career path will be ruined, so it better be taken back.
But... yak... what’s done is done.
What can you do?
Cry?
No. Rabbits!
Wouldn’t it be nice if some browser extension published on HN would have some fault that would allow someone else to post using my logged-in account?
It depends on the origin of the iframe - if the iframe origin is the tuple (https, news.ycombinator.com, 443) then even if it's in an iframe it still has access to everything. If you put the content into its own origin (say, with <iframe src="data:text/html;base64,..."></iframe>), then it would no longer† have access to your data, but someone who put javascript on their bio could still pop up an alert with arbitrary content in your browser, for instance.
† Well, it's also debatable whether or not an iframe with a unique origin would be sufficient protection in the age of Spectre/Meltdown style vulnerabilities, where code execution in a process means you have access to the entire memory contents of that process. Chrome has strong protections against this in the form of Site Isolation [1], but Firefox does not (though they are actively working on it with Project Fission [2]), and Safari/etc do not to my knowledge. We don't _really_ need to be worried about Spectre/Meltdown vulnerabilities being used against a Hackernews profile viewer extension, but at the same time it's easy enough to write safe code that doesn't allow javascript execution in the first place, so why not do that instead?
The right way would be to either use a templating language that takes care of it for you (react/angular/vue/etc), or to write some plain javascript instead of injecting DOM with jQuery.html(). Something like:
const div = document.createElement('div');
div.textContent = 'This is the bio. <script>alert("This will not execute");</script>';
However, I personally like not glancing over user karma just to avoid bias. On Slashdot, for instance, I subconsciously assigned higher credibility to posts made by smaller (numeric) ids. The new reddit has it too.
I tend to agree. I know you are referring to karma but it also applies to comments. A few times I've found myself doing the same and then chastise myself for it. I think making comment histories private might be a potential solution, some are moving for reddit to do this.
I am honestly torn, as I progress in my career and life, as a sort of contrarian type, I get more and more worried some background check algo is going to find my presence on platforms, troll my history, and find some random comment from 5 years ago that might be controversial and blackball me for it, unbeknownst to me. On the other hand, I hate the idea that we increasingly self censor as we all become more aware of this.
This is why I still think anonymity is important on the internet, and lean towards burning accounts every couple of years on commenting platforms. This is also why I still value what others might call cesspools that are the chans, and of course onion sites et al.
Karma is also generally a bad idea because it causes people to comment/submit just to increase it and causes them to say stuff that will give them more karma.
If karma has to be present, it's best if it is a subtle as possible.
HN Card lets you quickly glance at a user's profile without leaving the page you're on. You can quickly see a user's bio, karma, account age - plus quick links to their comments and submissions. Plus, if they have an email address or Github account in their bio (providing they've set up a Gravatar or Github avatar), you'll see their avatar too.
Hey, thank you. Looks like the submission has been flagged already, so don't know whether its still going to be relevant to HN users, but I'm gona email you. Thank you.
Okay, I don't want/mean to be impolite, but all of the 15 commits I see after forking isn't really significant; Is this really a Show-HNable item?
I see you updated jQuery[0], added your screenshot[1] & edited the Readme each with trivial small edits[2]... and out of the 15 commits 11 commits is related to the screenshot and Readme.
I can't see any new code written, I can't help but suspect that this repo & account was made to get karma...
If you would like some project ideas, I would urge you to modify the styles of the current HNCard plugins to match the HN asthetics; like non-styled buttons/links with the beige background colors and less margin.
Really cool project! I've been trying to find time to experiment with making a browser extension and I'll probably be referencing this project while I learn. Thanks for sharing!
I like it, nice clean look. I cloned and installed from source (Firefox) and works fine, haven't tested installing from the store but I imagine it's the same.
Small typo in the readme under the Firefox instructions. It says go to the "about:debugging" section and click "This is Firefox" but it should be "This Firefox" (no 'is').
https://github.com/mudulo/hncard/blob/master/chrome/js/hnpro...