Samsung’s Tizen OS is the most genuinely frustrating experience I’ve had with a consumer device outside of printing. Advertisements on my home screen that can’t be disabled, dubious privacy, bugs that require me to reboot my TV, and of course security so bad that they recommend installing a virus scanner? Yeah, that’s great. It’s got a web browser at least, though that’s the only positive thing I can really say about the web browsing experience.
Can it run software? If you can find it! There’s no app ecosystem here, just the big apps it absolutely had to have to be worthy of shipping. If you want to watch Twitch.TV streams for example you are SoL. There was an unofficial Twitch app, but it was removed from the store.
I tried to set up development for Tizen. Yeah not gonna try that again. I always thought getting started with development on Android or iOS was a little cumbersome but it really doesn’t compare. Even getting into developer mode was challenging since I had trouble finding the instructions that were pertinent to my model of TV, and that was the last thing I accomplished successfully.
So I’ve got a desktop computer hooked up to my smart TV and now I am contemplating paying more for a TV so I can get one that doesn’t have any of this dumb crap on it. The only downside? You can’t really run many 10 ft versions of things, and there’s not many good casting solutions. Lame, but every time I run into a new pathological case with the TV OS and its set of subpar apps I reconsider how much it’s even worth to have fancy 10ft interfaces and smart phone integration.
(If you are looking for a casting solution for an HTPC running Windows, I tried Reflector 3 briefly and it looks pretty good. But I personally do not run Windows on my own HTPC, so I’m stuck in the dark.)
The TV itself is a black box of mystery, and does NOT get to go on my network. It doesn't need my wifi password, and I certainly don't want it sending screenshots of my desktop (with sensitive information) off to some advertising agency. No thank you! But far more importantly, the TV will last for years as a dumb monitor, and the external box is usually much cheaper, and can be upgraded and secured separately. This just feels like the correct model.
I was never able to build a HTPC that worked with all the video sources I wanted (Plex, Netflix, Youtube) and was possible to control without ever having to touch a keyboard/mouse (or resort to a janky air mouse/remote thing). With the Shield + a Logitech Harmony Hub, a single dead-simple remote controls entire setup (Shield, TV, external amp, plus a BluRay player that I never use anymore).
 Note: I only have a Roku 2nd Gen. The newer ones look a lot better and are probably a fine option now, but I still really like the Android TV "Home" experience a lot more.
Shortly after Sage was shut down my cable company started encrypting all their channels, rendering most of my PVR setup pointless. After chasing issues with Youtube breaking API changes, I finally and begrudgingly pulled the plug on Sage. Several HTPC iterations later I feel like only now (with the Shield + Plex) do I have a comparable setup.
I did briefly play with Plex PVR with my HDHomerun and an OTA antenna, but I don't get enough channels for it to be worthwhile, and never even bothered re-installing the antenna after my roof was re-shingled last year.
I'd go farther. I want everything to be external boxes. Right now I'm looking at having to get a new A/V receiver because mine cannot handle 4K video. It does all the audio stuff I need just fine.
If video switching and audio processing was handled by separate boxes, I'd just be looking at changing out the video switching box.
Now suppose that later I decide I would like to be able to control my receiver with Alexa or Google Home. As it is now that will be another "replace the whole damn receiver" moment. If it were all separate boxes, the preamps, amps, surround sound processor, and radio receiver would all be separate components, controlled by a controller box. If I decide I want Alexa, I'd just buy a new Alexa compatible controller box.
Or I decide I want to upgrade from 5 channels to 7 channels...buy a couple more amp boxes and speakers for the new channels (and might also need a new surround sound processor box).
Basically, take a block diagram of a complete full featured home theater system, and make every block in that a separate box so I can (1) just buy the boxes I need for my system, and (2) upgrade a box at a time.
That said, I doubt TV makers will ever stop primarily making Smart TVs. A Smart TV can function as the only component of a home theater system. Someone moving into their first apartment after school, say, wanting to start putting together their entertainment system can start with a Smart TV, stick it on their home internet, and then use the Netflix/Prime/Disney+/etc app on the TV to watch movies.
That Smart TV probably has a few HDMI in ports, so they can also use it with the cable box if they have cable, and with their gaming consoles.
With a dumb TV they'd need the TV, and they would need an A/V receiver, and speakers, and something to run the Netflix/etc. apps. Buying all that at once might be a budget buster for someone starting out.
By making the TVs smart, the TV makers greatly increase the chances that a TV will be the first component bought for a new home theater setup, and probably also increases the chances that that first TV will be a big screen, high resolution, high quality display model.
I could not figure out how to do this with any other combination, and this strikes me as fairly baseline usability.
lets hope they can deliver.
It's actually pretty hard to find a media player that supports Dolby Vision for example. No Android media box does, and as far as I know Windows support is very patchy. At least with webOS it supports all the video formats the TV supports.
Interestingly, apparently in the UK (or maybe EU?) there's a defined period an appliance is required to work for, to be "fit for purpose". Note - not a warranty thing, it's a consumer goods thing.
Not living in the UK any more (thanks Brexit), so don't remember off hand the period of time though.
I always laugh when I see something say "1 year warranty" as I know two years is required.
It's a DLNA/UPNP client so I can cast anything I want from my media server on my computer to it (Bubble UPNP is a great app to control all this from my phone) and even though it doesn't have "cast" built into apps like Youtube and Twitch, they're all supported as addons so you can still get 90% of the functionality, so I can finally throw away my Chromecasts. Plus you can either use the TV's remote with HDMI-CEC out of the box, or hook up a wireless keyboard.
With another pi running TVHeadEnd that I feed my aerial into, I basically don't need any of the builtin TV software anymore, Kodi just controls it all. It's a pretty liberating feeling.
I haven't yet circled back, but my conclusion was to give up on it and instead pursue an end-to-end solution like Plex or Jellyfin.
It currently serves around 3TB of video and audio files, and new files are added daily. I haven't restarted either the Pi or the minidlna service for many months.
I choose this option because it is a very light-weight solution with no features that I will never use (like trans-coding or metadata downloading, poster art etc).
There's a Firefox extension called "Send to Kodi" that I use to quickly cast Youtube videos and other videos from my PC to my Kodi.
On my phone I use Kore, which can send a URL to Kodi using the standard Android share menu (hold a link, Share > Play on Kodi).
Kodi also supports UPNP so you can use one of the million available apps for that to allow some other media servers as well.
It's not perfect, but Kodi has managed to satisfy my video consumption needs quite well. I'm using an outdated version (it's running on my server which runs Debian stable) but I haven't run into problems thus far.
Setup sound bar.
Connect new TV to HDMI switch.
Get the TV working with my remote.
Throw TV remote in a corner somewhere....
I don't even try to use a smart TV's internal functions anymore. They're just big monitors to me.
Guessing they haven't started shipping with a dictionary to try brute forcing the most common passwords. :D
I do worry that one day someone is going to buy one of those Comcast modems that has the automatic Xfinity guest networks and it will find that ...
There would be some kind of backlash if those TVs connected to one and was able to phone home. Don't know how bad, probably on the order of the smart TV that was phoning home with the name of the contents of and flash drives you connected.
I used to do the whole HTPC thing but having to use an actual web browser to access half my content felt obnoxious and cumbersome.
As for avoiding smart TVs, I found it pretty easy to just ignore the WebOS garbage on my LG. I don't see why I would want to pay more to get rid of a feature I haven't had to interact with since setting the device up.
Kodi would also enable the same use case.
I don't think this is a use case on Roku. Roku has zero international market share, so I don't think there's much of a developer market for it.
But can any of them be trusted? Serious question...
Apple TV is a pragmatic option for the sort of person that doesn't mind the Apple Walled Garden.
Xbox One is a pragmatic option for the sort of person that doesn't mind the Xbox/Microsoft Walled Garden.
NVidia Shield and FireTV are pragmatic options for folks that prefer the more Android-ish "mostly a Walled Garden, but".
If your threat model is anything with a corporate or walled garden smell, then sure none of them can be trusted and just build your own media PC with Linux and whichever apps you feel you can trust.
Avoiding tracking and phone-home things.
I intend to replace the Rokus.
I like keeping privacy private, but I'm having a hard time imagining what sorts of private data you are concerned with that would be going over a set top box.
Or were you more worried about the STB being an attack vector into your home and other machines?
The computer can be as cheap as the video quality you want to view... and a decent 1080p projector can easily be had for ~300 USD, bump up the computer to gaming specs and run your entertainment off of it and you've got a nice multi-use solution for the house... unless there is competition for resources.
I've said it before here, but I'm getting a second hand NEC commercial display as my next TV. I've used them at work and they are excellent panels.
Unless average Joes start clamoring for that, all of the cost associated with what you're asking for wouldn't help them sell a significantly larger number of TVs.
I bought an LG OLED last summer (a 55" C9) and to be honest I don't hate the software (webOS) on it. However my setup is not really normal.
Firstly my TV is connected via Ethernet to my router and is restricted to only Netflix, the LG web store and my internal network.
I don't watch live TV, instead my viewing is limited to Netflix and content on my Plex server. Turns out the LG Plex app is very good. The TV supports pretty much every video and audio codec so I can do Direct Play from my Plex server. I mostly have direct Blu-ray streams extracted and remuxed into mkv files so there is no quality difference with using Plex vs. the actual Blu-ray. The rest is a mixture of H.264 and H.265 video with AAC and DTS audio in mp4 or mkv files. Everything plays perfectly with quality on par with or exceeding Netflix to give a comparison.
This setup works great for me. I only really interact with the TV OS to switch between Netflix and Plex which isn't a big deal and the picture quality of the OLED panel is incredible with 4K HDR content.
The real star of the show is Plex though which is just god damn fantastic. As everything I have is Direct Play compatible I can (and have) run the Plex server on a Raspberry Pi with a USB HDD attached and it works perfectly. Even for 80GB 4K HDR movies (direct Blu-ray remux files are large!) plays back from a Pi running openmediavault and Plex media server in Docker.
In the past I have tried a few different solutions such as a HTPC running Windows plugged directly into the TV but nothing gave me as good picture quality with the same flexibility as using the native TV apps.
In fact the Plex on a Pi setup works so well for me I set one up for my mother when I visited over the new year. She can watch any content on my Plex server as well as anything I upload to hers (as she often wants things I don't care for so don't want using up my disk space :)
If you haven't looked into Plex I highly recommend you check it out. It really does 'just work' which is so nice when you want to sit down and watch a movie without having to deal with all the adverts and junk before the movie on a Blu-ray disc.
I am always open to alternatives however with everything I have tried over the years nothing has come close to how well Plex works. From the flexibility of running the server to the superb automatic content identification to the frame perfect delivery to my TV it has been flawless for me.
However I feel I should point out again that I don't use the transcoding feature so I cannot comment on how well that works.
The only UI prompt I recall seeing is some new streaming feature which I haven't looked into but appears to be some kind of partnership with content providers? I was able to get rid of it easily enough to not even remember how I did it and haven't seen it since.
Perhaps the mobile apps (which I assume are updated more regularly?) have had some more prompts? I only ever use the app on my TV.
Alternative: Emby https://emby.media/
Open-Source Alternative: Jellyfin (fork of Emby v3) https://jellyfin.org/
Subtle. :) Anyone know the motivation for this fork / dig against Emby, other than the premium licensing?
Yes, it's more expensive than a smart TV, but the only reason is because smart TVs are very literally subsidized by future data collection and monetization.
Not trying to minimize that this could still be too much money for some people, but frankly, a one-time extra $250-300 to permanently escape that whole tracking situation is just a lot less than I expected.
I'd also like to point out that most of the sub-$400 Smart TVs on Amazon don't have any DisplayPorts, and the display is probably of a lower quality than something that's designed to be looked at from a couple of feet away rather than dozens of feet.
Bigger than 42", I'd just recommend a projector.
What's the main benefit of DisplayPort when most new hardware supports Hdmi 2.0, which does 4k at 60Hz?
How would you define lower quality based on viewing distance? What metrics are we going by that we might expect to be worse? There probably are some, but I can't think of any off the top of my head.
Reaponse time is the one that comes to mind, not because of viewing distance but because of different intended use cases, but I specifically account for that when looking for a TV to use as a monitor.
You need to sign packages with a certificate you get from Samsung and tie it to your device ids for sideloading. For that, you need Tizen Studio, which is a custom outdated version of eclipse, depending on outdated versions of some external libraries. I tried it in a container, which worked fine, except for the signature generation. So I ran it in a sufficiently outdated VM.
Unfortunately, this developer cert will only get you so far and for the complete API, you need a partner level cert.
If you put up with all this, there's the documentation. It takes ages to load and you can't easily download the damn thing, because they pull in the content via XHR. Why, Samsung, why?
Me too! When I bought a new Samsung 32" last year, I went very, very slowly as I set it up, so as not to inadvertently connect it to the internet. I succeeded in not connecting and life is good.
Not sure if Samsung is one of the manufacturers of those though.
Yeah, call me when you find one…
I have an nvidia shield which more than fulfills the "smart tv" needs, and I think that's probably the way it should be and stay. I love this setup and just want to disable all the smart features now. It's not like they're in the way but sometimes the tv does decide that "I see you're watching a movie. Now might be a good time to ask you to reboot for the latest software update innit?"
All such radios can be disabled, if not by removing the antenna, then by enclosing it in a faraday cage. It is chilling, though, that these things may become necessary for basic things like appliances.
One downside though is that I only have a couple HDMI ports to work with, so between a Nintendo Switch and a full desktop PC I'm already using all of the ports.
Also, even though I love the NVIDIA Shield, I find it does not really integrate as well as I hoped via HDMI CEC. It's a bit clunky to be honest, and though it's cool I can use the TV remote over CEC, it is definitely not as good as using the Shield remote, due to latency and some weird behavioral differences. So there are also downsides like that, too...
Keeping the comment in case anyone does have a source. If no response, let's assume rumor.
I still get worked up about this. I was able to watch streams on my TV using this app and someone somewhere just decided I shouldn't be able no more. The TV has lost value with this change, to me at least.
That said, I wish there was a dumb TV option.
Samsung/Tizen was one of the worst in my experience (the only thing I found more annoying was PlayStation only giving a windows sdk when the box itself is basically a BSD. Let me develop on Linux dammit!)
Yes, me too. I have an old dumb TV, and will use that until it breaks. When that happens, I won't be buying another TV at all, since as near as I can tell, the "smart" kind will be the only kind on the market.
> You can’t really run many 10 ft versions of things ...
My media server is in a ventilated closet, so I'm using ~15 meter HDMI, USB and audio cables. It was admittedly an expensive HDMI cable, but it seems to work well enough.
Isn't it easy to tweak all that? It is in Debian, anyway.
Virtually universally, videos are embedded in webpages, and occasionally a link is provided that downloads rather than plays a video.
So I think this is just a use-case issue: the average user is exceedingly unlikely to ever want to watch a raw video file specified by a URL, because you just don't come across them in the wild. So therefore Roku didn't build that feature.
And that's 100% justifiable for a consumer product. There's no philosophical reason why a consumer product should support computational primitives like URL's or files when the use case is rare or non-existent for the target market.
I mean, if this were a command-line utility then it would be a different story... but it's not.
Obviously the protocol descriptor would be different from HTTP/HTTPS.
Uploading the video to YouTube is typically a much simpler way to get the job done these days, because it works off of things you likely already have and require only moderate technical skills, while setting up a server that can serve files over HTTP(s) on your home network is the kind of thing that would get your parents to start calling you a "computer whiz" in public again.
But that all died out, it seems. So I get that history could have continued in that direction... but it didn't, I guess. It sure would have been interesting if it had, though.
Here is one of many examples (look at the bottom):
I see those all the time.
There are plenty of philisophical reasons to support it, you might disagree with them, but that doesn't mean they don't exist.
Also, more generally, while videos do tend to be embedded in web pages, some of these pages are nice enough to provide a download link for the video.
But then I thought about it, and the URL thing is a red herring. That's not what they really want -- that's an implementation detail. What they really want is the ability to play something from their local server on their TV. This is totally do-able in the Apple eco-system. The URL thing is exactly what you don't want. Who wants to type a URL into their TV using their phone as a virtual keyboard or not? (Which the AppleTV + iPhone combo does this great too...)
The best option is where you could "cast" any video/media you're watching on a phone or computer up to a TV. The AppleTV + iPhone (or Mac) combo does this great.
Also, just to understand, what does Roku get out of blocking your ability to potentially see non-DRM content? Is Neflix going to pull their app if Roku starts displaying urls?
When it works, it works well, and it is nice to just press a button and whatever I'd like to use is up on my TV. It does feel a little magic.
But even when you're using compatible tools / devices that should work together, sometimes they mysteriously don't, and there's absolutely no way to know what's going wrong. Approximately 25% of the time, my Chromecast device just doesn't seem to exist according to my computer. Both my computer and the device have network connectivity, but there's just no ability to cast. I'm reduced to randomly restarting things in a vain hope that things will work.
If you stick your Chromecast and your phone in their own broadcast domain I think the problem would disappear. Unfortunately it’s not a solution to whatever is spamming your network but it would tell you that that’s the problem.
1) I copy some URL on my phone or computer
2) I open the VLC app on my Apple TV and select the URL field
3) My phone buzzes because it recognizes an input field
4) I paste the url and press play
The nice part is that you can also use that to watch Acestream content if you run some Acestream container on your NAS / Computer exposed via a http proxy and just paste that URL into VLC on the TV.
"We Suck At HTTP"
>"We have broken HTTP. We’ve done it for years in fits and starts, but apps have completely broken it. HTTP was a good specification which we’ve steadily whittled away."
> Here is my plea: when you build hardware/software, please make it support the primitive, simple case.
I just wanted to play a video file I had on my laptop. I googled around, found that Roku appears to support DLNA, and tried to use Universal Media Server on my laptop. The Roku did find the media server, but kept claiming that there were no files available. Not sure if it was a video format issue (main-profile h264, ac3, and mkv are listed as supported by Roku) or something else, but at the end of the day I just couldn't get it to work, and I was bummed and frustrated.
Maybe play-this-URL functionality wouldn't've helped, but at least I would have felt more confident that it was a format issue rather than just some dumb problem with the huge DLNA tech stack.
HTTP is the lingua franca of the internet.
When you build stuff, please make it work with simple URLs.
I've recently installed Jellyfin and even put the Roku in "Developer Mode" so I could install the Jellyfin Roku app from GitHub. This is better because unlike Plex, it won't transcode arbitrarily, but it's far worse because the Jellyfin Roku app crashes frequently, has only basic page-based navigation ("go to page 23 for media that starts with 'T'"), and it requires running a heavy media server for no real reason. I'm still reluctantly using Plex for the time being.
When I need something that I haven't put in Plex, I fall back to the Android interface on the FireTV and use VLC to access the NAS over SMB. It still rankles that Roku won't allow an easy way to access local media.
To navigate the text version, simply paste one of the following URLs into your
browser, or the entire cURL command into your terminal. If you're looking for
a specific post, check the list on the Feed page.
This would be some work, but only one person would need to do it and then anyone could "cast" a URL.
(Disclosure: I work at Google, speaking only for myself)
I guess I could just spend 99 cents and 2 minutes to find out...
In the end, I set them up a Plex server, which I can securely remotely drop things into. But that comes with its own fair share of ridiculous concerns.
I could imagine an evening hack session that would be a Chromecast application (maybe a browser extension) that you can paste urls into and it would play that way. Without even bothering looking, I would bet such an extension already exists in the Chrome Web Store.
You can disagree with this reasoning. It should be possible to safely load arbitrary endpoints and not ever execute an attack embedded in it. But then it wouldn't be called an exploit, would it?
I feel that I soon will have to change it for some more fancy set, like 65” 4K HDR OLED. I will make my best to dumb it down and keep using it in the same manner. And I definitely will not connect it to the internet!
All the smart TVs I've used implement this functionality.
VLC and Kodi support this too.
Actually, I think the standard is UPnP / DLNA. After setting up a UPNP server I can "cast" most things from Android by using the share button, and then choosing a UPnP app, such as Bubble UPnP. I don't know if the author's tv supports this, but many do.
discussed at https://news.ycombinator.com/item?id=7365256
But chromecast is essentially that standard you ask for, otherwise "apps" like I linked wouldn't work. Heck, as far as I know (I'm not really a Chrome user), Chrome has this functionality built-in, so you can send URLs directly from browser to a chromecast device.
RTINGS.com is pretty awesome at being able to quickly see which TVs have the more egregious data privacy practices.
That's what I do (my Apple TV is connected to the internet). A nice side effect is that you don't get ads in the TV's home screen that way.
I saw a recommendation for it here or on Reddit recently.
- How inefficient is video streaming when you're downloading chunks of a compressed, static file over a flaky Internet connection?
- Was it worse before? Would it work better with QUIC or HTTP/3?
Your main enemy in this process is, as usual, middleboxes, which may be a bigger problem for the advanced protocols. This is why Apple created the bizarre but effective HLS system: https://en.wikipedia.org/wiki/HTTP_Live_Streaming
I'm wondering how much you lose by doing it the simple way?
Thanks for all the feedback!
Is that really typical? I just put a file on a USB drive, and plug it into the TV to play.
Says a webpage that is just a couple empty divs w/o JS, and, with JS, is 4 hyperlinks, a few paragraphs of text, and absolutley nothing (aside from google-analytics) that ever needed any JS in the first place, let alone 5 or 6 files' worth of it.
But, I think that conflict really speaks to the funamental issue, here: Thinking about the primitive, simple case is often, from the creator's perspective, more work than it's worth.
Otherwise, you're just demonstrating exactly why Roku doesn't have a way to input a URL to play media.
Such is the way of things.
Just render the markdown to HTML once on the server and upload it for the love of God.
That being said, the article is entirely correct.
Is the overengineering so ingrained in the average HN user that they cannot see why someone might not bother with that?
However, in a case like this, the alternative—as we can already see—is to add complexity for every single reader on the front-end. So there's not really a perfect solution here—either the author or the reader has to deal with some complexity.
<!-- Start preload for performance -->
<script type='module' src='/components/core.js'></script>
<script type='module' src='/components/tutorials.js'></script>
<script type='module' src='/components/about.js'></script>
<!-- End preload for performance -->
<script type='module' src='/index.js'></script>
Edit: Actually https://raw.githubusercontent.com/anderspitman/anderspitman.... works fine already; can we change the submission URL to that?
Based on this web site, this is a definition of "software engineer" of which I was previously unaware.
JS should not be needed to show five paragraphs of text. And even with the JS the resulting HTML is still unreadable.
FF72, uBlock Origin in medium mode, no whitelisting => site renders just fine both in normal and in reader view.
His "noscript" is also broken as it still doesn't show the darned 5 paragraphs of text. It's that hard for him, as he writes what others should do.
It entirely fails to render in text-mode browsers (I actually make heavy use of w3m).
It entirely fails to render in https://outline.com/, which otherwise is a good way to get fucked-up JS-dependent sites to render. I consider that stage of fuckwittedness either absolutely deliberate (which it appears to be in this case based on the authors defence of their practices), or utter incompetence. These are not mutually exclusive possibilities.
The fact that the article is apparently (I've still been unable to read it) a plea for base-level compatibility is, as initially noted, arch irony.
View source indicates about half is some Google analytics boilerplate, the other half is a body consisting entirely of non-functional JS pulls.
OP, where is the content stored?
Note for OP:
I can see that you already have https://github.com/anderspitman/anderspitman.net/blob/master... started, so I'm assuming you know this already and that you just haven't had the time to set up rendering on build yet. It's not my intention to preach to the choir.
Or you could even get fancy and skip hiding it on the initial page load, only swapping it out with AJAX for future navigation, and this would make your initial page load even faster than it currently is.
Requiring readers to execute arbitrary code in order to read content seems like a terrible way to implement a web page.
Nor is it cheap: it requires every single reader to execute the same code, burning CPU over and over and over when it could be done once for all readers, by the server.
> Yes, some people choose to browse with JS disabled, but anyone who browses that way should expect that many sites won't work and will need to be manually whitelisted.
Yes, you can require execute privileges in order to publish content, but anyone who publishes that way should expect that many people won't read what he writes.
I never whitelist sites that don't work without JS unless the site is actually critical for some reason (doing so is too risky). I expect that this means some parts of the web effectively no longer exist for people like me, and accept that, but I wonder if the authors of these badly engineered pages really know that they're excluding people.
People who choose to turn off JS are excluding themselves. JS is part of the web platform, and there are tons of amazing things it allows you to do. Being able to write a site in markdown with static hosting and have it instantly rendered in user's browsers is one of those things!
If you choose to browse with IE6 and complain that sites using HTML5 are excluding you, I'm not going to be sympathetic either.
Could you say more about this?
The best web developers I know that I really respect all understand what progressive enhancement really means as an architectural pattern, and they don't dismiss it out of hand.
Also to be clear, the browser is (unarguably) hands down the best consumer-facing sandbox that we've ever built. And I like sandboxes, a lot. I think sandboxing is the future of user-facing application security -- not trusted stores, or signing, or managing dependencies in a special way, or SaaS.
2. LastPass's browser extension leaking passwords to any page you visited.
3. Firefox's most recent 0-day (that is being actively exploited).
4. Targeted vulnerabilities in mobile Safari (that went unpatched for years).
Even non-malicious pages are usually not coded well in terms of CPU-power. One way you can tell a browser disables JS by default is that the non-JS setup will gracefully handle several hundred tabs at the same time in normal everyday usage for extended periods (>1 month). The other browser will eventually get caught by a rogue tab that freezes everything and forces you to restart the browser.
On the privacy front... I dunno, don't you work at Google? You should know this.
My general advice, notwithstanding my opinion on sandboxes, is that everyone should install Ublock Origin, no matter who they are. If you're technically inclined and understand the web, you should also install UMatrix, which will at least get rid of the most common attack vectors: third-party scripts. If you're technically inclined and understand the web and you worry a lot about privacy, you should use UMatrix to disable JS by default.
So the foxy perspective on web security/privacy is if there's an easy, effective way to improve my security that works most of the time, why wouldn't I do that? And why wouldn't I encourage developers to make it easier for me to do that?
: Admittedly, Panoptoclick's usage numbers are skewed towards privacy-conscious users. In the real world, the pool of people like me will be smaller. However, people who use VPNs are also skewed towards privacy-conscious, which tilts that back in my favor a bit.
Excellent response and more patience than I could muster.
It goes both ways. Yes, turning off JS means that some sites will fail to work. As I said in my comment, I expect this. On the other hand, a well-designed site should fail gracefully, so that turning off JS won't make the site fail to work, but may make certain features unavailable. Sites that don't fail gracefully (with certain exceptions) are poorly engineered sites that are excluding people unnecessarily.
> JS is part of the web platform
JS is an optional part of the web platform.
> and there are tons of amazing things it allows you to do.
Of course. The problem is that JS allows terrible things to be done as well. Just as I won't download and execute binaries from random web sites, I won't allow JS from random websites, for precisely the same reasons. JS is too risky.
> If you choose to browse with IE6 and complain that sites using HTML5 are excluding you, I'm not going to be sympathetic either.
That's a poor analogy because HTML5 will fail gracefully. If I browse to an HTML5 site with IE6, I will (with rare exceptions) still be able to read the page.
> Just as I won't download and execute binaries from random web sites, I won't allow JS from random websites, for precisely the same reasons. JS is too risky.
Downloading and executing binaries from random websites is far more risky than allowing JS. A binary runs as you can can trivially do anything you could do, from keylogging to subverting your browser. If you can do similar harmful things from JS, on the other hand, you're eligible for very large bounties from browser vendors. JS is heavily sandboxed, and browsers have some of the world's best security engineers working on maintaining an ecosystem where people can freely run other people's JS.
> That's a poor analogy because HTML5 will fail gracefully. If I browse to an HTML5 site with IE6, I will (with rare exceptions) still be able to read the page.
HTML often fails gracefully, but not always. If someone writes a site that doesn't fail gracefully and so is completely unreadable in IE6, I don't think they've done anything wrong.
Rendering the goddamned content is.
If you can't at a minimum give me a title, byline, dateline, main body text and/or some level of summary or description of non-textual content (as with graphics, audio, video, or interactive elements), then you're failing.
(SPAs or web applications should at least provide context for understanding what the application is/does. I'm not calling for all functionality to be rendered in HTML, but sufficient context to determine WTF the site is about.
Your "but I cannot implement search" is a strawman, and really doesn't address the core complaint.
As it stands, I'm looking at options for SSG-based blog posting, and at how it might be possible to support search. JS-based options, plus an extensive tagging / ontological classification, strike me as a reasonable compromise.
The fact that the Web is lacking a usable search-oriented standard which could bypass much of this problem, is one that's seldom noted. If sites could provide a permuted index in accessible format, and a standard mechanism for accessing it via a browser site-search function (or independent third-party search tools) ... well, the present online landscape would look remarkably different.
Sadly, we're not there, and the orientation of the leading browser developer is quite likely not going to support such development.
I'm not going to dismiss this out of hand, but this is a harder problem than you realize. We did have search keywords at one point. The problem was that sites started stuffing them with irrelevant values. Google removed that and started doing their own analysis, because keywords made it too easy to game SEO.
There are certainly ways that keywords could be done better today, I'm not going to say we should give up on the entire concept. But asking websites to self-categorize themselves is a very tricky problem that is very prone to abuse.
Remember that the web (currently) monetizes eyeballs, so until that situation changes there is a strong incentive to show up in every search regardless of whether or not you're relevant.
My example was a domain specific search engine. The only thing the site does is let you run searches, implemented client-side in JS. Without JS the site completely doesn't work.
Perhaps you misunderstand what I'm saying. I am not saying that you, or anyone else, is obligated to do anything in particular. All I did was to point out a factor that should be considered -- if your site does not work without JS, then you are excluding some people. If you don't care, fair enough.
However, I stand by my assertion that sites that do not fail gracefully are (with certain exceptions) poorly engineered sites.
> Downloading and executing binaries from random websites is far more risky than allowing JS
That does not mean that allowing JS is safe.
> JS is heavily sandboxed, and browsers have some of the world's best security engineers working on maintaining an ecosystem where people can freely run other people's JS.
Yes, I'm well aware of that. And yet, JS is commonly used to do all sorts of nefarious things (such as tracking, for instance) anyway.
OP is already using a server-side build process to generate the static site. Inserting the HTML at the same time they built the site would add very little extra code to their build process, and nothing to their static hosting requirements.
If nothing else, would OP consider inserting a <noscript> tag in each generated index.html that linked to the raw Markdown in their Github repo?
The site doesn't use any build process. The gen_static script was an experiment that I didn't make it very far with. I may eventually get back to that.
Yes, if you're going to have a build process, converting Markdown to HTML server-side makes a lot more sense.
JS is enabled here and it doesn't render.
While admittedly some readers here are purely focusing on the irony of supporting "the primitive, simple case", for the most part non-JS users are willing to meet sites halfway on this. I'm totally fine manually navigating a Github repo to get at posts, I wouldn't be irritated at all in that situation, I wouldn't have even commented. Right now, your site offers nothing.
Even just the below markup would have been sufficient -- it wouldn't need to be customized per-page.
I suggested to have a link (or just instructions, if you don't want it to be customized per post) for accessing the Markdown code for the specific post. However, a link to the Github repository also works perfectly OK, so I am not complaining.
Absolutely! Should be working now (or as soon as CloudFlare cache is purged). Thanks for the snippet.
As long as I know how to get to the text in some format, I'm usually fine with the rest, and markdown is a format that's very easy to read.
Cloudflare and archive.fo don't play well together. Each blames the other.
I've explicitly coded an exception for the domain on my own networking kit, but that fix hasn't been working for a while, which is ... annoying.
Ordinarily, though, it's a useful fix. If you can point DNS at a provider other than Cloudflare (126.96.36.199), it should work.
Please make your products work with URLs
I want to tell you about something I was unable to accomplish, after more than 30 minutes of concerted effort.
I have video file hosted using a web server. The file is H.264 main-profile encoded at a reasonable bitrate (<5Mbps), uses AAC audio, and is packaged in an MP4 container. The web server supports HTTP range requests. In other words, the video is basically in the least common denominator format for compatibility. It streams great in all major web browers, VLC, and everything in between.
In my living room, I have a Roku "smart" TV. It has tons of apps, full internet connectivity, and is more than capable of both connecting to and playing the video file described above. But I failed to get this to happen, after much googling and trying multiple apps (both on the Roku TV and my Android phone).
The way this type of thing is usually accomplished in 2020 is to open the video on your phone, then tap a "cast" icon and tell it to send the video to your TV. What happens behind the scenes is the phone uses some protocol (Chromecast being the most common I'm aware of) to send the URL to the TV, and the TV then plays it directly, while still letting you play/pause, seek, change volume, etc from the phone. When this works, it's like magic. The YouTube app works particularly well. However, there doesn't seem to be any widely implemented standard for playing plain URLs, only walled gardens like the YouTube app.
This whole thing was made much more frustrating by the fact that I knew the TV had all the requisite capabilities to do what I was attempting. The YouTube app is proof of that. There just wasn't any obvious way to find the correct app combination.
Here's the way this should work.
The Roku app for Android allows you to use your phone as a keyboard for the TV, rather than the awful physical remote UX for input. This is a great feature which I appreciate.
I should be able to copy a URL from my phone (possibly obtained from scanning a QR code), paste it into the Roku Android app, and the Roku should attempt to play the file at the URL. This is clunky, awkward, and not particularly easy. But it is simple, obvious, and intuitive.
Here is my plea: when you build hardware/software, please make it support the primitive, simple case. By all means, implement the slick Chromecast-style flows. It's great when it works. But there needs to be a fallback for when it doesn't work, or when the user wants to try something slightly different. HTTP is the lingua franca of the internet. When you build stuff, please make it work with simple URLs.
I think that are various levels of proficiency, but in general, most Danes have a very good grasp of it, and it's easy to live here if you only speak English.
(Note: works for me too, with default uBlock and Pi-Hole blocklists)
Is this site heavy on ads and other malware and won't display without totally naked openness to exploits?
With NoScript blocking both the site and Google.
By "w/o JS" do you mean totally disabled? Or just NoScript?
And you're right, I wasn't paying attention. I did temporarily allow the site.