Comments (3)
Indeed, something we hope to improve upon. Listed runs on pretty legacy Rails and has not been brought up to date with the rest of our infrastructure, but we're slowly inching our way there. Likely we cannot get around passing it in the URL for GET requests like opening up the user Settings page but we can explore short-lived tokens.
from listed.
Any update on this? I feel like it's a pretty major security issue, since with that token, all private posts can be found, posts can be edited/ deleted and settings modified. Possibly an alternative could be to use Standard Notes auth?
What's the plan for the updated version of Listed (tech stack, timelines, etc)? I would definitely be happy to help out with any dev tasks if needed
from listed.
No major upgrades or architectural changes planned for Listed right now, as much as we love the service. We don't have the capacity to undertake any big architectural refactors for it right now, as our present focus is our main app stack.
Although ephemeral tokens would be an improvement, the security concern here is in my opinion theoretical and not too practical. The only parties that could see a query param in an https request is you and us. On our end we're careful not to log this parameter as it passes through our infrastructure stack.
from listed.
Related Issues (20)
- [Help Wanted] [Listed] Custom CSS for individual posts? HOT 4
- Og tags for LinkedIn HOT 2
- [Listed.to] Reference to "Extended" plan in Custom domain settings HOT 2
- [Listed.to] Can't see caret on <input>s when dark mode is enabled HOT 1
- Support SSL certificate with Subject Alternative Names HOT 1
- Listed.to session cookie doesn't have Secure flag set HOT 1
- Double x-frame-options header on Listed.to
- Listed.to server supports TLS 1.0 and 1.1
- listed.to homepage not update HOT 3
- Same-document hyperlinks support HOT 2
- Stripping out forms
- Request for GFM checklist suport
- Scroll position kept between main blog page and articles
- fenced code block colors difficult to see in dark mode
- Problem with Verify Subscription HOT 1
- Allow usage from self-hosted Standard Notes instances
- Disable email subscription doesn't prevent subscriptions HOT 1
- Custom css not working HOT 1
- Rust code block comment syntax is not highlited properly
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from listed.