Hacker News new | past | comments | ask | show | jobs | submit login

Given the nature of the product, there is no way for the maintainers of Js fiddle to prevent it from being used to run arbitrary code, because that is what it's meant to do.

It's also impossible for both jsfiddle or twitter to scan the code of each fiddle and determine if it's legitimate or an attack, so this looks like a good measure from Twitter.

What is surprising is how this was even allowed so far and still is in many social networks, as its such an obvious way to deliver exploits.




Given the nature of the product, there is no way for the maintainers of Js fiddle to prevent it from being used to run arbitrary code, because that is what it's meant to do.

There are things they could do though - such as limiting the execution time of a fiddle to a couple of minutes, or limiting the size of the code, or blocking certain calls, and so on. Users are running code that's been saved to the JSFiddle server, so it's not unreasonable to suggest JSFiddle have some responsibility to their visitors. They could make it so the code runs fine if you're the owner or if you've explicitly said it's OK to take up more resources, but defaults to running with these limits if you've just browsed to a Fiddle from a link. They could block common mining scripts (which would only work against 'scriptkiddie' attacks rather than anything sophisticated, but whatever).

There are things the JSFiddle maintainers could do. They don't have to, and in their position I might not do anything either, but the cost of inaction in this case is Twitter blocking links to their site.


>it's not unreasonable to suggest JSFiddle have some responsibility to their visitors

You do understand that they banned the malicious accounts and contacted Twitter, right? Them behaving responsibly is what caused this mess, not sure why you're implying they have no responsibility to their visitors...


> Users are running code that's been saved to the JSFiddle server, so it's not unreasonable to suggest JSFiddle have some responsibility to their visitors.

I do not think so. If I insult another user on Hackernews, how is Ycombinator resposinble for that? I don‘t think platforms should be responsible for what their users do. That is a very slippery slope, leading to the horrendous way YouTube deals with copyright claims, Article 13, and similar censoring tools.


If I insult another user on Hackernews, how is Ycombinator resposinble for that?

Your example is a difficult one because only the person who the derogatory comment is aimed at can decide whether or not they're insulted. Whether or not something is insulting is up to the person it's aimed at. The same goes for things like negative comments, stupid comments, copyright on a derivate work, etc. Whether those things are actually bad is a matter of opinion, and each party probably takes a different position. Consequently it's different situation, and not really relevant here.

A better analogy would be if I were to invent a piece of plain text malware and posted it in a Hackernews comment. Would YCombinator or HN have any responsibility to remove it, or should they just let it sit there? I contend that when something is actively harmful the publisher has a duty to protect visitors by removing the content or limiting it's impact. (And HN has some awesome moderators who do exactly that in very extreme cases, plus users here can flag things to hide them when there's a consensus, so it's not really like HN is completely free of 'censorship')

Plenty of people take the opposing view that platforms shouldn't get involved. There are two sides to most arguments. I'm slightly on the other side to your position.


Should Twitter also ban links to Amazon S3 or any other cloud storage? It can also be used to host arbitrary JavaScript.


By the nature of the product JsFiddle also can't do anything more than what any website set up by an attacker could do. The only thing making JsFiddle unique is that it is lower friction. Any attacker could also set up a github pages link, or use any free webhoster, or rent webspace for $5/year under a false name.


Couldn't any link point to anything that runs arbitrary code? Does it matter if it's on jsfiddle or xyz.com?


It makes sense to ban a website that is 100% mining, but blanket-banning jsfiddle is like banning the whole internet because there might be a crypto miner on any website. Probably 99% of jsfiddle links are not miners.


Then Twitter should ban all links externally, because other websites can run arbitrary code.


The difference is that those sites don't let anonymous users run arbitrary code on their servers, unlike Jsfiddle.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: