
Show HN: Comntr – a widget that adds comments to your page - comntr
https://comntr.github.io/about/
======
report212312421
was able to inject script via the username

[https://github.com/comntr/http-
server/blob/master/src/handle...](https://github.com/comntr/http-
server/blob/master/src/handlers/comments.ts#L22)

~~~
comntr
Yea, I missed the obvious one!

------
comntr
Also, it's already possible to have your own comntr server: you just need to
git clone the comntr/http-server repo, npm install & npm start it, and tell
the iframe to use your server with
?srv=[https://foobar.com:42751](https://foobar.com:42751). This would be an
"on-prem" solution.

------
comntr
My first post about the web extension idea got some interest (and almost 150
stars on github!), so I've made the next logical step: an <iframe> that
renders the comntr.github.io page and effectively adds comments to your page.
The spam problem is partially addressed by the filters: the iframe.src can
have a special ?filter=[...] param that can hide some of the comments you
don't like. Although it's unlikely one can bypass the security model around
those filters (but you are welcome to try!), advanced spammers can still post
a lot of garbage to those comments as they can easily generate new ed25519
keys.

~~~
ivolimmen
You can also add a content security policy.

~~~
comntr
Done:
[https://github.com/comntr/comntr.github.io/commit/af35](https://github.com/comntr/comntr.github.io/commit/af35)

------
jteppinette
I like all the XSS attack tests in the demo.

------
pedro1976
Can i simply prefix any url with commentr.io to get to the comments section?

Some time ago i did a scroing and visualization of reddit threads, maybe you
find it useful, see
[https://migor.org/reddit/#/discussion/top?url=https:%2F%2Fww...](https://migor.org/reddit/#/discussion/top?url=https:%2F%2Fwww.reddit.com%2Fr%2Fworldnews%2Fcomments%2F3rlu3g%2Ffull_text_of_the_tpp_has_just_been_released)

~~~
comntr
Yes, this is how it works:

comntr.github.io#[http://foobar.com/](http://foobar.com/)

------
darekkay
This sounds interesting. I've added Comntr to my extensive blog post about
static site comments [1].

[1] [https://darekkay.com/blog/static-site-
comments/](https://darekkay.com/blog/static-site-comments/)

~~~
comntr
I think, "comntr" is more like "integrated 3rd party" that can be run like a
self hosted solution.

~~~
darekkay
Thanks for the clarification, I've updated the description

------
mro_name
to just get a few comments (not quick, unmoderated discussions or in the
thousands), a radical strip-down may suffice – neither server-code nor
JavaScript, let alone a 3rd party: Pure atom xml rendered to html client-side
via xslt in an iframe. No comment markup. Feel free to express yourself in
unicode.

See e.g. at [https://mro.name/blog/2009/08/nsdateformatter-http-
header/](https://mro.name/blog/2009/08/nsdateformatter-http-header/)

------
jeremyjh
The hard problem in this space is spam prevention. Its not immediately clear
me to if this even addresses it? Other than giving ban/filter controls to a
human.

~~~
comntr
I think most of the spammers can be deterred by a simple puzzle, like 23+47.
If we want to raise the bar, we make the puzzle more and more complex.
Obviously, the puzzle is returned as an svg picture where the letters are
"rendered" with little squares. My point is that 99% of the spammers out there
are lazy and won't be able to pass this little test vs someone who's written a
thoughtful comment and can definitely add 23 to 47.

~~~
smt88
It sounds like you may not have spent any time researching anti-spam
techniques.

Your initial "puzzle" can be solved with 8 characters of JS: eval("23+47").

Your SVG picture can be solved using off-the-shelf OCR like Tesseract.js.

Even very challenging reCAPTCHA reading tests are mostly solvable by spammers.

You'd be better of using something with thousands of expert person-hours
behind it, like reCAPTCHA v2.

~~~
comntr
That's right, I haven't.

The puzzle will be sent as an SVG, obviously.

Em.. "off-the-shelf OCR" sounds neat, but anyone who knows such words isn't an
average spammer. The goal of basic SVG puzzles is to block 99% of the spammers
who just type dumb comments on keyboards. The rest 1% can be taken care of by
human mods.

TBH, I don't like the reCAPTCHA-like solutions. They are just annoying from my
personal experience and if they rely on any 3rd party service, I'll give them
a hard pass for this reason alone. My approach is to use trivial SVG-style
captchas with adjustable complexity, e.g. instead of asking "23+34", we can
ask "log(32)/log(2)" and effectively filter out everyone except people
familiar with math, or "md5(2615), first 7 hex digits" and let in only people
familiar with cryptography. Forcing users to detect birds and crosswalks will
just make them upset, IMHO.

~~~
georgyo
You said SVG twice now, but I don't see what is obvious about it.

It's an XML document that should be easier to figure out than a raster image
format such as jpg or png.

~~~
swiley
Won’t it have to be converted to a raster image before it can be OCRd?

Granted all you need to do is render it to a canvas but that’s an _extra_ step
on top of everything you need for a raster image, I’m not sure it’s _easier_.

~~~
comntr
And just rendering to canvas may be very tricky if the captcha is animated
with css, i.e. it moves a bit and different parts of it appear at different
times.

------
nexuist
This is really cool! One step closer to a decentralized Web.

~~~
personjerry
All the comments would be hosted on this site; It's actually centralized.

~~~
comntr
That's right. My first attempt was to use IPFS or DAT. Figured out it's not
quite possible, but we can get very close to that, in theory. Imagine the
extension or the iframe could run a ipfs.js or dat.js that would discover all
the http servers with comments via DHT: servers that want to participate,
publish a unique key to the DHT and the web clients discover this key and then
the IP addresses of the servers. In practice, this doesn't quite work because
DHTs are based on the assumption that any node can quickly ping (with a UDP
packet) any other node and thus perform the DHT discovery using the Kademlia
algorithm in log(N) steps. But in the web, the only way to "ping" someone is
to set up a p2p connection with WebRTC: this not only needs a signaling relay,
but also implies a multi step exchange with SDPs and has other costly
overhead. And I haven't even approached the Symmetric NAT problem. This is why
ipfs.js hogs CPU, allocates a 1 GB and keeps 4-8 sockets always open (they
aren't even p2p now, but rather web sockets to some relay, for perf reasons).

------
zimbatm
In the same space: [https://utteranc.es/](https://utteranc.es/)

A lightweight comments widget built on GitHub issues.

------
mouzogu
It's a nice idea, not a fan of the name if i'm being honest. Although I know
that names are hard.

------
keithnz
so where's the data getting stored? in a database you are hosting?

~~~
buzzerbetrayed
Or one you're hosting. You can self host the server, as explained in OP's
comment on this thread.

~~~
o-__-o
Except it redirects from OPs server. Meaning they capture your data.

Themoreyouknow.jpg

~~~
comntr
You can git clone and launch your web client too.

------
jugg1es
Can it add vowels to registered trademarks?

