Yes, it’s essentially that, FPI with workarounds for common breakage. You should switch from FPI, this is essentially another take on FPI by some of its original developers, so it should have fewer issues overall, not just site breakage.
(I’m one of the developers of this feature and co-author of the blog posts)
This is a great question and I’m glad you found the answer, you probably understand that for many blog posts we avoid going into too much technical detail.
To answer your final question, there is no hardcoded allow-list for State Partitioning. The heuristics as described on MDN are accurate.
Have you considered using something like Expounder (https://skorokithakis.github.io/expounder/) in your posts? (Disclosure, I made it but it's a small open source lib).
I don't see why we can have full-blown web apps but our text needs to be very specifically just text these days.
Thank you! I used to use footnotes too, but I didn't like how they took you out of the flow of the text. Expounder aims to specifically let users stay in the flow of reading, which is why one of the core instructions is that the text should work in context, as if it were never hidden.
It's good to see experiments along these lines. I really like Wikipedia's recent-ish rich tooltips on link mouseover, and the HTML <summary>/<details> elements deserve to be more widely known.
From the demo it look as if Expounder is one-way - once you've expanded something, you can't collapse it again. Is that correct?
I miss footnotes on the printed page because, in addition to references (where they're probably better as endnotes to be honest) I find they're great to use for parentheticals that bulletproof a point, add some background that's not essential to a point being made, etc. But these latter uses work significantly less well in a blog post or ebook.
What I dislike about footnotes like that is that they pollute the browser history. If you want to leave the page but clicked on a few footnotes and their backlinks, you have to go “back” through all of them.
Thank you so much for posting gwern’s sidenote article! I want to use sidenotes on my site and this was a very valuable resource!
Back button usually come with an unfoldable list of jump points.
I am more ennoyed by how the jump points are turned into a useless feature by so many javascript out there which load new content without impacting the browsing history.
I love this, but I'm a bit surprised that you do not include the ability to "unexpound" an "expounded" term. Is that intentional?
If I were reading a technical text, I would definitely end up reading most paragraphs at least twice. It would make no sense to keep the expounded terms in the second time; I'd be tempted to hide them back as soon as I was finished with them the first time.
It's because, once clicked, the new text should become part of the old, and that's it. Presumably you've already read it, and I don't want to make the viewer have to re-collapse the links every time.
Your use case makes sense, though, which is why the feature was included. Maybe I should mention it in the README.
I think collapsing would also be useful when all you need is a quick reminder, not a full explanation. Like "What's that again? [click to expand] Oh that's right [click to collapse]". That's easier than finding the place to skip to.
Hi, can you consider adding some accessibility to the library? Currently, I don't have a way to know that a term could be expanded, because the signal seems to be visual only and not detectable via a screen reader. Adding aria-pressed might be the solution, but I'm not an expert, just an user.
I feel like the inserted text should be highlighted with a light yellow background or some indicator. Just appearing like that inline seems a bit funky or unexpected.
But I see there is a css class which is nice.
Just a simple rgba(x,x,x,0.5) where the x’s are the usual yellow height.
Why use this instead of footnotes? For example in these Feynman lectures below the footnotes and references to formulas and images activate then you hover over it. These footnote can even include graphics and formulas.
To me, footnotes serve a different purpose, e.g. linking to papers, like the Feynman lectures site does. Expounder is more about indicating that you don't know something, so the text itself can change to accommodate you.
It should animate the text while unfolding, but, other than that, there's no need to know what was unfolded. You just click what you don't know and eventually read the relevant info!
Not the author, but presumably you're overlooking the fact that the expounded term doesn't necessarily have to be "inside" or even "neighbouring" to the details element.
The author's intent here is to have terms explained in the text explicitly in such a way that it would 'augment' the text with an explanation somewhere further down the line, but not necessarily "in-place".
It is also intended for text specifically, rather than replacing one element with another.
I agree that display/summary are similar in spirit though, I had not come across those before.
Awesome. Just a heads up, I've already finished it and just submitted it. HOWEVER, the plugin has to be licensed as GPLv2, but it shouldn't affect your license (since it's just using your code as a library). I'd feel better about it (and it will probably be smoother sailing during the review process) if I could submit your names as authors on the plugin.
Is there support for an expound-all button on a page? I definitely have days where I just want to also read the details and don’t want to click a dozen times while I’m reading.
Not currently, but it shouldn't be hard to add a button with one line of JS to add the required CSS class to all the elements. This might defeat the purpose, though, as it's kind of intended to save you from reading things you already know.
This should have always been the only way it worked.
Plus it should be easier to create white lists of allowed websites and all other cookies delete with every broswer restart. I know it is possible with Firefox but you need to add websites to whitelist manually in deep settings. At least there are some extensions that make it easier, like CookieAutoDelete https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
I would like something like, each site by default gets a bucket by name.
If cookies from another bucket should be shared with other sites, or might be seen when requested by a cross-site load from another site, ask the user a four choice question.
"Allow (site) to see cookies from (site)?"
Always Allow, Just this time, Ask later, Always Deny
What I wonder/concern is how can one decide for legit use.
This also sounds like a possibility for discriminating small players with legit use. (similar to Microsoft's SmartScreen)
Would be great to know how are those concerns handled?
If your users are clicking a button then it should actually show the permission prompt, unless you're losing the user interaction somewhere in the callback (by doing something async first)
I guess this is then happening because I'm first checking if there's a subscription via `pushManager.getSubscription` before creating a new one in the event handler.
Yep, dropping getSubscription makes the popup appear again.
Neat story, but I don't see the analogy. OP says he/she doesn't see any innovation, not "this innovation is obvious". At least tell us an egg or two that Slack cleverly stands on end.
Now it occurs to me I may have been making a distinction (about the nature of innovation) where there arguably isn't one. Still, I think it's fair to ask exactly what Slack is doing right. If there is a real innovation, someone should be able to tell us (there've been some good responses); otherwise it's just lucky network effects or a fad.
HTTPS is a lower bound of reasonable security, not an upper one. The argument for HTTPS _everywhere_ is that it's the smallest possible thing you can do to make yourself slightly secure.
Would you find it ironic that someone selling combination locks for gym lockers wants a better lock on their storefront?
I find it ironic if banks and post offices are using combination locks as advertised security measures but the people selling those install steel doors on their storefront.
True, I'm not surprised at all. HTTPS Everywhere-like functionality should be integrated into browsers and not a downloadable extra, tricking people into feeling fully secured.
This is something that could definitely have been reported to Slack before disclosing it publicly. Maybe he did that, but it's not mentioned in the blog post so I assume he didn't.
It's just a nice thing to do and they might reward you for it. You can still post it on your blog after they released a fix.
This is hardly an exploit. Since no authentication is required in order to see the chatroom listings for any domain, we must assume that they meant for their chatroom directory to be public information. This may not be what their customers are expecting, though...
It's not listing chatrooms, it's listing teams. Very different. For example, at the company I work we have two teams on Slack: Engineering and Marketing. Not really a problem if people find out that! The channel listing would potentially be more interesting, and this exploit does not allow you to see that (spoilers: it's "general", "random", and "cats").
It's information disclosure at its finest. Something you _really_ want to avoid in a sensitive environment - which company internal comms certainly is.
The way companies handle security disclosures lately (i.e. laughing it off, or paying $6 reward), it seems like shaming them would work much better. Plus, this is truly a beginner-level failure, the kind you'd get insulted for by Linus.
Well considering other people posted a tweet about someone trying to report it as a vuln on August 13th and getting told it's a feature, I'd say he's not exactly generalizing in this specific instance.
I'm not generalizing, and I don't really care about Slack. I'm just putting forward a hypothesis about what might be going on in a security researcher's brain when they stumble upon a vulnerability.
Slack has a Reporting Security Vulnerabilities page on its site: http://slack.com/whitehat. Seems like something they would have taken seriously if it had been brought to them first.
Shaming Slack is one point. This guy just exposed the confidential information of who knows how many of Slack's customers. In my opinion that's douchery of epic proportions.
This. That was exactly a kind of vulnerability that is meant to be publicly disclosed. Nothing of matter will happen to anyone because of that vulnerability, but people might remember it and next time they'll think twice about how they handle authentication.
This was about the most minor kind of information leak you could imagine. I doubt anybody is going to feel any real 'hurt' from this.
In this case the information seems unlikely to contain anything sensitive pertaining to customers. If it had though then the companies that had negligently put sensitive information on untrusted servers would be held liable and could face significant fines (violating the Data Protection Act 1998 in the UK can lead to fines of up to £500,000 and similar legislation exists in other parts of the EU). That more serious kind of breach is the one we are trying to avoid by advising companies not to use cloud services.
The lesson can be had independently of the intent of douchery. Shit happens, and learning from your mistakes (by admitting them) is a fine way to get better at what you do.
I have no inside info, but my guess is probably not. Unless we're talking about AirBnB or Dropbox, most YC companies aren't going to want to take the time out to deal with the regulator¥ hassles of H1B sponsorship.
That said, for the perfect candidate, exceptions will be made.
Are you speaking from experience? I've found the TN process really confusing for an intern, and if you have any experience with the application process, I'd love to hear about it.
Yes. Get the company's lawyer can fill out the paperwork for you and you show up at the airport with the paperwork and receive a visa. You can't apply in general for a TN, it is company specific.
Same question here. From my friends who interned at Amazon, Facebook etc. the visa seemed pretty easy to get (we're Canadians), but those are bigger companies, not sure if the same applies to YC startups?
