
Show HN: HN Card, Hacker News Profile Overlay - hncard
https://github.com/mudulo/hncard
======
arkadiyt
This extension is trivially vulnerable to XSS - anyone can write javascript in
their HN bio and it will execute in your logged-in context if you mouse over
their profile. Here's the relevant code:

[https://github.com/mudulo/hncard/blob/master/chrome/js/hnpro...](https://github.com/mudulo/hncard/blob/master/chrome/js/hnprofile.js#L122-L147)

~~~
saagarjha
If I was to write something like this, would putting the content in an iframe
help?

~~~
arkadiyt
Yes and no.

It depends on the origin of the iframe - if the iframe origin is the tuple
(https, news.ycombinator.com, 443) then even if it's in an iframe it still has
access to everything. If you put the content into its own origin (say, with
<iframe src="data:text/html;base64,..."></iframe>), then it would no longer†
have access to your data, but someone who put javascript on their bio could
still pop up an alert with arbitrary content in your browser, for instance.

† Well, it's also debatable whether or not an iframe with a unique origin
would be sufficient protection in the age of Spectre/Meltdown style
vulnerabilities, where code execution in a process means you have access to
the entire memory contents of that process. Chrome has strong protections
against this in the form of Site Isolation [1], but Firefox does not (though
they are actively working on it with Project Fission [2]), and Safari/etc do
not to my knowledge. We don't _really_ need to be worried about
Spectre/Meltdown vulnerabilities being used against a Hackernews profile
viewer extension, but at the same time it's easy enough to write safe code
that doesn't allow javascript execution in the first place, so why not do that
instead?

The right way would be to either use a templating language that takes care of
it for you (react/angular/vue/etc), or to write some plain javascript instead
of injecting DOM with jQuery.html(). Something like:

    
    
        const div = document.createElement('div');
        div.textContent = 'This is the bio. <script>alert("This will not execute");</script>';
    
    

[1]: [https://www.chromium.org/Home/chromium-security/site-
isolati...](https://www.chromium.org/Home/chromium-security/site-isolation)

[2]:
[https://wiki.mozilla.org/Project_Fission](https://wiki.mozilla.org/Project_Fission)

------
nsenifty
It's a cool idea.

However, I personally like not glancing over user karma just to avoid bias. On
Slashdot, for instance, I subconsciously assigned higher credibility to posts
made by smaller (numeric) ids. The new reddit has it too.

~~~
arminiusreturns
I tend to agree. I know you are referring to karma but it also applies to
comments. A few times I've found myself doing the same and then chastise
myself for it. I think making comment histories private might be a potential
solution, some are moving for reddit to do this.

I am honestly torn, as I progress in my career and life, as a sort of
contrarian type, I get more and more worried some background check algo is
going to find my presence on platforms, troll my history, and find some random
comment from 5 years ago that might be controversial and blackball me for it,
unbeknownst to me. On the other hand, I hate the idea that we increasingly
self censor as we all become more aware of this.

This is why I still think anonymity is important on the internet, and lean
towards burning accounts every couple of years on commenting platforms. This
is also why I still value what others might call cesspools that are the chans,
and of course onion sites et al.

I tend to always think about this Eben Moglen talk (listen from timestamp for
4 or 5 mins) :
[https://youtu.be/sKOk4Y4inVY?t=427](https://youtu.be/sKOk4Y4inVY?t=427)

------
hncard
HN Card lets you quickly glance at a user's profile without leaving the page
you're on. You can quickly see a user's bio, karma, account age - plus quick
links to their comments and submissions. Plus, if they have an email address
or Github account in their bio (providing they've set up a Gravatar or Github
avatar), you'll see their avatar too.

~~~
dvaun
This is a nice project — I'm glad that you posted this because I've never read
source code for browser extensions before.

With that, after looking through hnprofile.js and am curious if you had a
roadmap in mind for improving it? These two things came to mind:

\- Adding localstorage for caching info from each fetch, adding last-visited
etc

\- Adding formatting options for the drop

I'm interested in adding support for the first item if you'd like
contributions. You can email me if you'd like to chat.

~~~
hncard
Hey, thank you. Looks like the submission has been flagged already, so don't
know whether its still going to be relevant to HN users, but I'm gona email
you. Thank you.

------
plibither8
The extension Refined Hacker News does this too, and has preview overlays for
comments/story links too, along with many other stuff.

Here: [https://github.com/plibither8/refined-hacker-
news](https://github.com/plibither8/refined-hacker-news)

------
pcr910303
Okay, I don't want/mean to be impolite, but all of the 15 commits I see after
forking isn't really significant; Is this really a Show-HNable item?

I see you updated jQuery[0], added your screenshot[1] & edited the Readme each
with trivial small edits[2]... and out of the 15 commits 11 commits is related
to the screenshot and Readme.

I can't see any new code written, I can't help but suspect that this repo &
account was made to get karma...

If you would like some project ideas, I would urge you to modify the styles of
the current HNCard plugins to match the HN asthetics; like non-styled
buttons/links with the beige background colors and less margin.

[0]
[https://github.com/mudulo/hncard/commit/808060e869efc8205184...](https://github.com/mudulo/hncard/commit/808060e869efc8205184651505e438a040dd612a)
and
[https://github.com/mudulo/hncard/commit/808060e869efc8205184...](https://github.com/mudulo/hncard/commit/808060e869efc8205184651505e438a040dd612a)

[1]
[https://github.com/mudulo/hncard/commit/cdfc024ba6aef1cb7562...](https://github.com/mudulo/hncard/commit/cdfc024ba6aef1cb7562ee8e62dd552c98357c84)
and
[https://github.com/mudulo/hncard/commit/a42aaca31de97d894950...](https://github.com/mudulo/hncard/commit/a42aaca31de97d8949501964b5cc126ca5819f88)

[2]
[https://github.com/mudulo/hncard/commit/eae608db902b6501dc66...](https://github.com/mudulo/hncard/commit/eae608db902b6501dc66320c7993e7a887b5477d),
[https://github.com/mudulo/hncard/commit/dc756ffebdfe2d08ffaf...](https://github.com/mudulo/hncard/commit/dc756ffebdfe2d08ffaf81082de70afca8c29f2d),
[https://github.com/mudulo/hncard/commit/3d78b1c3a02bf1499016...](https://github.com/mudulo/hncard/commit/3d78b1c3a02bf1499016dd2e1ac3199b22f23f3a),
[https://github.com/mudulo/hncard/commit/1b96751bcadc8393e319...](https://github.com/mudulo/hncard/commit/1b96751bcadc8393e3196a43e972d1f943505ad7),
[https://github.com/mudulo/hncard/commit/6293499bb0d0bb87c889...](https://github.com/mudulo/hncard/commit/6293499bb0d0bb87c8894d2d65f2cd2b85200e60),
[https://github.com/mudulo/hncard/commit/205450c6998233fad28b...](https://github.com/mudulo/hncard/commit/205450c6998233fad28b8f2d29137e9609f4dc51),
[https://github.com/mudulo/hncard/commit/0c7b4d67df6b8ca19266...](https://github.com/mudulo/hncard/commit/0c7b4d67df6b8ca19266c7d141eec471ae1a9a93),
[https://github.com/mudulo/hncard/commit/596eef59eba83f1a0aad...](https://github.com/mudulo/hncard/commit/596eef59eba83f1a0aaddc82870c5b688473d6f1),
[https://github.com/mudulo/hncard/commit/91e80d40f1a74c3479af...](https://github.com/mudulo/hncard/commit/91e80d40f1a74c3479afd5ba4dd74103458eaa91)

~~~
brandonfro
I have the same suspicion. There doesn't seem to be anything meaningful added.

~~~
hncard
You have definitely have a point, but at the very least the original could not
install on Firefox, and I thought the project was cool so I forked it.

Its more like this project is cool, but it was last updated 5 years ago, let
me fix and share it.

------
brandonfro
Are there any fundamental differences between this and the fork
([https://github.com/timdavies/hnprofile](https://github.com/timdavies/hnprofile))?

------
farleykr
Really cool project! I've been trying to find time to experiment with making a
browser extension and I'll probably be referencing this project while I learn.
Thanks for sharing!

~~~
hncard
Hey, Great to know. Yo welcome!

------
keyP
I like it, nice clean look. I cloned and installed from source (Firefox) and
works fine, haven't tested installing from the store but I imagine it's the
same.

Small typo in the readme under the Firefox instructions. It says go to the
"about:debugging" section and click "This is Firefox" but it should be "This
Firefox" (no 'is').

~~~
hncard
Hey,thanks for trying it out, let me fix the typo.

------
mscasts
Looks nice but you should make the bio window a bit larger so scroll ain't
necessary

~~~
hncard
Thanks for the feedback, saw this too on detailed bios.

~~~
whelming_wave
You might consider changing overflow: scroll to overflow: auto so that on
short bios it isn't forced to show scroll bars.

