
A Hacker News vote button - fnaticshank
https://github.com/igrigorik/hackernews-button
======
bevan
This button is great, but the button server at hnbutton.appspot.com (which
queries the search API) is frequently over its quota, which means the button
doesn't appear / work a lot of the time.

It's easy to set up your own (free) button server though. Here's how:
[https://bountify.co/blog/host-your-own-hacker-news-button-
se...](https://bountify.co/blog/host-your-own-hacker-news-button-server)

~~~
igrigorik
Fixed - plenty of quota now!

I honestly didn't realize how much traction it picked up over the past 6
months.. It was a (pleasant) surprise to login into my GAE console and realize
that it was serving, on peak days, over 1M impressions.

Interestingly enough, the "exceeded quota" was not for CPU resources! Instead,
it was all egress bandwidth. On busy days, it would reach the free 1GB egress
limit sometime between 6-12PM, and hence the error. I've upgraded the app, and
it should be good for terabytes a day. ;-)

P.S. I've also pushed an update to enable more aggressive HTTP caching on the
assets.

~~~
recuter
So you turned on billing? ;-) Good to know it was getting so many impressions
at the free tier, GAE is undervalued by the community me thinks.

~~~
igrigorik
Yep, flipped the billing bit. All I need is the extra bandwidth though.. The
sole Go app instance is standing up like a champ!

------
EGreg
I have a question ... why can't a Hacker News button be done entirely in
Javascript? If only HN would incorporate CORS file. Even if it doesn't, there
could be a way to approximate it by checking if you are logged into HN, and if
you are, doing a cross-domain POST via a form.

"But how do you know if you're logged into HN?" Ah, that's the hack.

for example: [https://hacks.mozilla.org/2011/02/an-interesting-way-to-
dete...](https://hacks.mozilla.org/2011/02/an-interesting-way-to-determine-if-
you-are-logged-into-social-web-sites/)

more in depth: [http://stackoverflow.com/questions/5233560/possible-to-
find-...](http://stackoverflow.com/questions/5233560/possible-to-find-out-
whether-a-user-is-logged-into-facebook-over-javascript-api)

The question -- for all the hackers here -- is, what resource can we request
via Javascript on HN that will return a different status code (200 or another
one) depending on login state?

For example, maybe posting a blank password to "change password" form will
return a non-success status code when you aren't logged in, and be an
innocuous post (since it results in an error).

Of course, the trouble with these techniques is that the site can disable them
at any time.

~~~
rcavezza
RE: status code depending on login state - You could curl the homepage and see
if the logout link exists

~~~
EGreg
true, but any way to determine it using only javascript in a browser?

------
josscrowcroft
Looks beautiful but any problems with the votes being discounted? Will it
still work in future or is it an exploit that would get closed?

~~~
igrigorik
The instructions are for the async install, so even if the widget is broken or
goes down (it shouldn't), your site rendering will not be blocked, or affected
in any other way.

------
leoplct
Doesn't the vote get penalized if you vote directly, instead of searching the
topic on the web page?

------
lucb1e
How can we do custom styles on it? Right now it's not aligned with other share
buttons.

Screenshot: <http://g2f.nl/0c4ajy1.png>

Edit: You can style ".hn-share-iframe". Then the next issue: it's much wider
than it needs to be when the story has already been submitted (see the
screenshot, there's a lot of blank space on the right). Is there any other
solution besides just positioning it on the right of the share buttons list?

~~~
igrigorik
Unfortunately, not that I've found.. Twitter and G+ also reserve the space and
run into the same problem. The root issue is the lack of automagic iframe
resizing.. which is what "seamless" attribute will solve, once it arrives and
is supported by the browsers.

~~~
lucb1e
Okay, thanks for the reply.

------
TazeTSchnitzel
So how does this work? Does hnbutton.appspot.com do some clever proxying, or
something? Or does HN just have a very easily exploitable XSRF vulnerability?

~~~
mixedbit
I also don't understand how it works. If you could up-vote just by following a
link, you could easily gain a system. For example, you could submit a story
that automatically up-votes itself when visited by logged-in user, without any
button press (CSRF). I believe Facebook like button (and other similar
gadgets) are iframes from Facebook. So Facebook controls how the button looks
like and it is not possible to submit 'Like' requests from a third party
domain.

~~~
nightpool
<http://news.ycombinator.com/item?id=3742902>

EDIT: This is a submission from a while ago that does, in fact, upvote itself.

------
p4bl0
I may be missing something, but I don't understand the point of the step 2 in
the README: why not just say to add the <script> tag directly?

~~~
eknkc
Then any browser will try to load the script synchronously. This ensures
asynchronous loading and if there is a problem with button server, it stays
there.

~~~
p4bl0
Oh, okay. Thanks.

------
kami8845
is there a demo somewhere? I tried to do something similar but the
ycombinator.com domain returns the "X-Frame-Options:deny" header which makes
iframing impossible. Also in order to vote by simple GETting a url you have to
include a CSRF token as a URL parameter.

~~~
igrigorik
Check one of the bgr.com articles, they have it installed in the sidebar.

~~~
kami8845
It doesn't seem to work. Check out any of the articles submitted to HN:

[http://www.hnsearch.com/search#request/all&q=bgr.com&...](http://www.hnsearch.com/search#request/all&q=bgr.com&sortby=points+desc)

They all show "submit". I re-submitted one of the stories myself. Still shows
"submit" as the HN button.

EDIT: Ok apparently it does work after I submitted a story through it (cold
cache?) But it's still pretty meh, really just a glorified <a><img></a>

~~~
igrigorik
There is a bit of lag for the hnsearch API to pickup the latest vote count.

------
krat0sprakhar
Upvote for shanky!

~~~
fnaticshank
thankyou :D

------
wildranter
Great stuff. I'm gonna incorporate this on my upcoming blog. Thanks!

On a side note. Could someone at YC fix the up vote arrows here? It's really
hard to hit these tiny arrows without hitting everything around before, really
messy. BTW, a larger textfield wouldn't hurt either.

PS: Sorry for stealing your topic, I just felt the need to say these things
which I think don't bother only me. ;)

~~~
dhimes
They don't only bother you, believe me. Most of us have simply given up asking
for site changes. We hack the styles ourselves or simply deal with it.

~~~
wildranter
Great tip, thanks for that. But I was referring to touch devices which make
somewhat difficult to apply custom styles. So we shouldn't give up on our
"demands" for better UX.

~~~
dhimes
I agree, touch devices are the problem. I think there may be some apps out
there for HN and the like, but a mobile-designed site would suit me better.

~~~
clarky07
Warning, shameless plug incoming. I made a HN app for iPhone and iPad to solve
some of the issues of the site. Mainly going back and forth from comments to
article. Haven't gotten to a better voting yet, but I may in the future.

[https://itunes.apple.com/us/app/hacker-news-
reader!/id532402...](https://itunes.apple.com/us/app/hacker-news-
reader!/id532402679?ls=1&mt=8)

~~~
dhimes
I have an app on my phone and a different one on my ipad. Checking to see if
the one on my phone is yours- how can I tell?

~~~
clarky07
I suspect it's not, as mine is universal. If you had mine on it, they'd both
have the same icon. Also, you can go to the app store from the link above and
if it says "Open" it means you have it on the device.

