Hacker News new | past | comments | ask | show | jobs | submit login
Thoughts.page: hosting a small webpage for your thoughts (thoughts.page)
135 points by eversowhatev 8 days ago | hide | past | favorite | 106 comments





This really caught my eye.

I wrote a website almost exactly like this for myself. I've been using it for over a year. https://thoughts.learnerpages.com

Something about posting publicly, but not having any public interaction mechanism is super cathartic for me.

(I haven't signed up for thoughts.page, I'll probably write a comparison at some point, since I'm opinionated about this type of site.)


I'm a big fan of these tiny minimal websites. I've built something similar lets your create an online blog from your paper journal. I use it daily to write down my thoughts and I'm weirdly very consistent with writing knowing others are reading my stuff. Wondering if OP has noticed the same thing.

https://paperwebsite.com


And your "Most Popular" user type signs up for the GBP10/month account rather than the Free account?

Pricing seems high, but it does grant them a custom domain option so it's not a shocker someone would sign up to get that feature.

This is really nice. I have always thought that the simplest way to publish a note was just throw a txt file into a folder that is synced to a website. I actually do that with keybase.io; now, this photo-to-publish idea is nice. Almost frictionless.

I really love the pricing model, refreshing:

> thoughts.page is free for anyone who makes less than $40,000 USD/year, and costs $5/month otherwise.


It's a shame because its pricing structure works like how many people misunderstand taxes to work. If you earn $39,990/year and then get a $30/year raise, then you'll actually be set back to $39,960/year after you pay the new price for this service. You might have to awkwardly explain to your boss that you don't want that $0.015/hour raise. If instead the service worked like taxes by charging a percent of the money you make over $40k (and then limiting the value up to $5), then the price trap issue would be solved.

(This suggestion is a joke, I just have the issues of welfare traps and popular misunderstandings of taxes on my mind.)


From the pricing page:

it obviously isn't perfect — there are people making more than $40,000/year for whom $5/month is an undue burden, and there are people making less than $40,000/year who can easily afford $5/month. but it's not like i'm checking, it's basically pay-what-you-want with $40,000 as a suggested cutoff for paying.


This is very reasonable. I wish all small software shops acted like this. Reminds me of REAPER program which also has a reasonable pricing model like this giving you unlimited time to try and buy it once it's useful to you.

If there was an option to pay or not pay, most people would probably opt to not pay, and you as a software developer or shop probably want to pay bills, so wishing that all shops acted like this is not logical to me at all.

What you're missing is convenience is a very valuable feature. This is exactly why I decided to give my $60 to the aforementioned program.

Yeah it's an interesting model. I'm guessing it works on an honour system as income isn't easily verifiable

It's basically 'pay what you want' with a super weird cutoff based on post-tax income.

I need to lose $4 by the end of the year! /s


In Norway, everyone's income is public information.

Other countries could do the same to make things more transparent.


It's funny seeing different attitudes on that. I live in the Netherlands, so really not far away, and income is very private, almost taboo information here - something you'd only discuss with your best friends, if that. People would be horrified to have their income be public information!

(please don't use my comment as a soapbox to start a labor rights debate)


It used to be public; the news papers had databases where you could look up individuals or list by location/birthyear/gender. Some even made maps, but they were a bit unpopular as it was suspected to be used by criminals. But knowing what politicians earned was nice and important, and news papers still report on "people of public interest"

Today, you have to login online and the person you look up can see your name in the log


> Today, you have to login online and the person you look up can see your name in the log

I really don't see a problem with that and would still consider it public information.


I agree, I expressed myself poorly: it is less available today than it used to; for example, I think it would be much more difficult for foreigners to gain access today. And there is a limit of 500 searches per month

So - there has been changes that resulted in less transparency or better privacy, depending on point of view


That is very interesting. It seems to me that the Norwegian society treats personal wealth information like what could happen with cryptos and blockchains.

Makes me want to dig deeper and understand the WHYs and HOWs it's been accomplished.

As someone born in a war-torn country, interpersonal trust is very hardly imaginable outside blood-linked relatives. Overall, in such a society there is a high degree of mistrust between individuals from different social classes or regions. Publicly displaying resources like yearly income is the last thing that would come to anyone's mind. As an adult, I have no concrete idea how much a sibling/parent makes per month. We've become so used to being vague while uncomfortably sharing our earnings.

A place like Norway seems like utopia to me. Does the government intervene by sharing citizen's reported income? Who gets to verify, record and archive such info? Is there a kind of punishment for liars/cheaters/abusers? Is the disclosure of personal income a strict legal obligation or a non-binding local tradition? I'm fairly puzzled.


> In Norway, everyone's income is public information.

> Other countries could do the same to make things more transparent.

What verifiable tangible benefits does this have?


Knowing what people employed in similar roles to you earn helps you bargain for an equivalent salary

In theory, not sure this translates to reality. I don't even have anecdotal evidence that this works. Employed in similar roles does not mean equally valuable to company. I live in Norway and I don't think I would ever tell my employer they need to pay me the same as someone else, I also know there is significant variability for pay in the same role at places I worked (without ever checking public tax records).

Kidnappers no longer need to waste time scoping out potential targets.

Traffic fines in Finland are proportional to the offender's income.

https://www.irishtimes.com/news/nokia-boss-gets-116-000-spee...

Simple, elegant and fair?

Mathematically perhaps, but people are people...

https://www.automotive-fleet.com/10481/nokia-executive-fined...


> Traffic fines in Finland are proportional to the offender's income.

Don't need everyone's income to be public information to do that.


> Don't need everyone's income to be public information to do that.

It depends if you want speeding fines to be transparent, or secret.


Never heard of it, can’t really imagine how that would work out in other countries.

Is it a somewhat new regulation? Is it easy to access the information?


It's actually a fairly long tradition, it's only been online for the previous decade or so. I'ts easy to access, it's just that for the last few years, you can also see if someone has checked your taxes and who they are.

https://www.youtube.com/watch?v=1bO8zEaSuWg


I think it's a Nordic thing. Tax records (including recorded income) are also public in Finland, and apparently Sweden has something similar. [1]

In case of Finland, the current legislation that makes tax information public was originally introduced in 1999 but I can't remember whether the records were also public (based on some other regulation) prior to that or not. In any case, it's not that recent. The Reuters article says Norway has had public tax information since 1863, but I don't personally know anything more about that.

AFAIK anybody's tax records are basically a phone call away. You can't just google for the information, though. I don't know how it works in Norway. (Edit: but apparently the sibling replies do.)

[1] https://www.reuters.com/article/us-panama-tax-nordics-idUSKC...


To give the Swedish story. In general all documents, decisions, etc. handled by a public agency are by default public (i.e you can call/email the agency and ask for them).

So when the tax agency makes a decision on your taxes that becomes public, i.e we can see what taxable income you have. One way this is used is by newspapers to look into the income of politicians (and other famous people..).

The right of public information is taken quite seriously by the courts (and should be taken more seriously by agencies that really like to classify the information as secret, which you then have to go to court to challenge). For example an organisation I'm associated with was able to get the cookie data from the Swedish Chief of Police which the courts determined was public information (although they were allowed to mask some information).



Tbf in Norway everyone would be skint after a few beers regardless of their salary so you're all pretty even (jk, ofc.)

Not very refreshing, considering the 100 total visitors this site will ever receive are likely highly paid folks in the software and technology industry, but it’s a nice gesture at least.

This site is subject to severe XSS via the post mechanism. Just entering <script>alert(1)</script> works. So be careful when going to links. See https://hacker.thoughts.page for a demo

Hey! I'm the person who made this — I don't believe there's an actual problem here, since login cookies are set on the top-level domain (and thus are inaccessible to content on subdomains), and are HTTPOnly as well.

I do notice that Stripe sets a tracking cookie (which only happens for people who pay for the service, since I don't load the Stripe JS elsewhere), so you could track pageviews with that or something. That's unfortunate — I'll probably try to move the stripe stuff to a subdomain to avoid it — but I don't see it as a big problem.

The HTTP security model is pretty awful, so there may be something I'm missing, but I did think quite carefully about this, and allowing people to use arbitrary HTML and JS was an intentional choice.

Is there a particular threat model you see here?


Just a heads up, a sister comment already pointed out the biggest "danger", but not what that means for your webapp:

Google will penalize your domain strongly as soon as anyone used your service for malicious content. You might even get blocked entirely if you are particularly unlucky.

That's also the reason why GitHub pages is hosted under github.io instead of GitHub.com for example.


Safe Browsing is a must-consider for anyone hosting user-submitted content.

>allowing people to use arbitrary HTML and JS was an intentional choice

Oh, you'll be reversing this choice VERY quickly if your product gets any traction, I assure you...


I don't actually see a problem. It goes against my gut reaction but given the pages that are published are entirely isolated there is no more of a threat than someone publishing whatever they want on another web host. There is no user information to hijack, no cookies, no login buttons, no local storage, no auth etc.

Yes, the pages can publish illegal information, be set up as phishing hubs, but none of that is as a result of JS being executable. Web hosts all have exactly the same risks to deal with, their users can also host anything they wish.

The owner's challenge is with the content they are opening up to hosting, and it will become an overhead to police that. If they decide to add buttons like "report content" then those will be able to be hijacked by the publisher and become useless.


Google will flag the entire domain in Safe Browsing. Unless you are a big company with a legal team, getting off the Safe Browsing flag list is a days or weeks long nightmare.

How are they isolated if you can inject JS that downloads resources from anywhere else? I mean, just to start:

- You have no CSP header that I can see.

- You do expose the server version in the headers, though.

- The site is available at a non-SSL-secured domain.

- There's no X-Frame-Options, X-Permitted-Cross-Domain-Policies, etc.


My point is, the service simply hosts HTML, ostensibly this is the same as any consumer web host. So whatever attack vector you can think of exists on Dreamhost or Godaddy pages, for instance.

I understand, but you can't have it both ways: You can either build a minimal Twitter clone that limits user-submitted content and not worry too much about security/abuse, or you can build a web host. The latter entails a comparatively enormous amount of responsibility you don't seem keen to take on.

I have worked for companies that offered commercial web host services and it is a massive security undertaking. I'm still not 100% convinced it's possible to offer a profitable, truly secure web host without compromising on feature set.

You become a pastebin of malicious JS.

https://nsfw-attack-demo.thoughts.page/

(not actually NSFW, just there to serve a point)


This is not called XSS.

This is just user generated html on subdomains.

Github does the same on github.io. Everybody can make a theirname.github.io page and alert whatever they like too.

So does Gitlab on yourname.gitlab.io, Wordpress on yourname.wordpress.com etc. It is a common practice.


Agreed.

That's only an issue if this is possible for comments. The current behavior is working as intended I'd say.


Tools such as Zap and Burp Suite are great for web devs who want to learn how to build secure websites. I highly recommend them:

https://owasp.org/www-project-zap/

https://portswigger.net/burp


The creators of Burp suite have some courses as well: https://portswigger.net/web-security

Plus there's no "nofollow" on links, doors opened for spammers!

What's the output for alert(document.domain)?

https://liveoverflow.com/do-not-use-alert-1-in-xss/


The output is hacker.thoughts.page

Have you reported this to the creator? Their email is in a couple of places.

Yes I have. And as they have noted in one of the comments above, they are currently looking for ways in which this could cause a threat

Oh boy. Didn't think I'd see something like this in $CURRENT_YEAR.

I didn't either until I started my current job back in April and found them in a frenzy trying to firstly figure out what XSS is and secondly trying to patch all their systems before the end of the month. Fun times.

oh boy! well done for spotting that

Thanks

It reminds of a spark file: https://lifehacker.com/defrag-your-brain-with-a-spark-file-5...

As usual I wouldn't put something so private in someone else computer. I don't even put my supermarket list on the cloud!


Did anyone else notice the reflow hack(?) using JS on the H1 title as well? As a backend guy, just curious whether this JS-assisted way of responsive Web development is commonplace/best practice, and if this is how it is usually done today.

I guess it is to keep the title and navbar buttons level on wide screens.


There's probably a way to achieve something similar (though not exact) with just CSS. Their approach allows those buttons to jut right up against the title no matter how wide it is.

Personally I would have just hardcoded the breakpoint where that reflow happens and made sure that those buttons can never overlap the main content area. My preference is to avoid relying on JS for layout, whenever possible, for the sake of simplicity.


Slightly off-topic, but I've noticed that the ToS is based on http://wordpress.com/tos which is licensed under CC. I wonder if it's safe to use and anyone else uses it with "success".

I used it at a previous startup which got up to 1MM ARR. It’s pretty great that it exists.

I wish there were kind of a Twitter where people would just post their thoughts (even those controversial), there would be no marketing of any kind, no personality and no flame wars. And all the posts would be organized by subjects.

A blog?

A microblog. But without strict length limits. Also without post titles. Without comments, responses and mentions. Without personal branding. Easy to discover together with many others. Easy to subscribe. Quick to read. Controversial thoughts allowed but guarded both against attacks by those who disagree/dislike and against abuse by bots/propaganda/marketing. Monetization/promotion not allowed.

Sounds like how blogs used to be (and even how Twitter and others were, too).

I wonder if the lack of interaction will just make people try to build workarounds to interact in other ways. For example, AFAIK, early Twitter had people use RT and other techniques to spread and/or reply to tweets even though the platform didn't have those functions itself.

How do you imagine this platform would deal with that desire to interact more with each other?


I think that can be accomplished with wordpress (or a similar blogging platform)...i suppose it would simply take tweaking the template/site settings to not expose features like comments, post titles, etc. Maybe wordpress might be overkill, but i think what you desire is achievable with an existing blogging platform out there.

But it would still be hard to discover.

As a reader I imagine going to a specific website, choosing a topic and immediately seeing a stream of genuine thoughts of many different people on it.

As a writer I would rather go to GitHub pages with a tweaked theme. WordPress is a huge overkill with a huge pile of problems.


> ...As a reader I imagine going to a specific website, choosing a topic and immediately seeing a stream of genuine thoughts of many different people on it....

I see your point. I made an assumption that the separate websites would in fact be separate, and not living under a singular umbrella of discoverable content. What you described is still achievable - either via walled gardens (where content is centralized and more easily discoverable), or through looser connections such as web rings, and even search engines. Also acknowledged that wordpress is total overkill...it was just an example that the tech exists to achieve what is desired. ;-)


Here's mine if anyone's interested in seeing how it looks before making one:

elias.thoughts.page

Look or don't. It is your free will.


is it just me, or is tweeting into the void kinda sad?

It’s certainly healthier I’d bet.

I dunno, would need data on that. I would think tweeting into the void is more symptomatic.

> ...is tweeting into the void kinda sad?

No, I think it's brilliant. I think we'd see more interesting writing on the internet if it didn't always start with the goal of acquiring and maintaining an audience.


Really? I don't know many authors who are motivated to write interesting content and then hide it / have zero idea if anyone is reading it.

It's not hidden. It's just not connected to an internet-style social network. Interest can still spread through word-of-mouth, even if the platform doesn't provide any tools for audience measurement and management. It's akin to a 'zine from the pre-internet days, except it doesn't cost as much money to distribute.

EDIT: A 'zine isn't a perfect analogy, since someone who published it would know how many they printed. A freely copyable newsletter would probably be a stronger analog.


How do new accounts start on twitter then?

True, and also feels to me kinda egocentric to genuinely not care of any feedback or interaction with the reader, but I know a lot of people like that, so it probably is just us...

Tweeting is just (micro)blogging. Does every blog without a comments section seem sad to you? That's silly.

As long as it’s public, someone is going to link it and the community explains how it actually happened and how complete moron of you are, so you’ve got covered.

If you’re doing sudo cat | sed -e s/¥n/¥n#¥ / >> /etc/resolv.conf, that’s sad indeed


I feel the same.

To me this is similar to journaling.

> i can appreciate the self loathing of someone who says they work on "merkle trees" instead of blockchain tbh

> like, yeah bro we all get what you're saying but i'm glad you at least realize you should be ashamed of it [1]

Thank god thoughts like these can finally be shared in a better way… cute project but by someone who apparently doesn’t appreciate what other people work on.

[1]: https://wesleyac.thoughts.page/#1631439916


It's a joke.

This one looks pretty good. I like that they let pages outside of thoughts.page into the webring.

Another nice minimalist one is https://micro.blog/ It has mentions, but "strong community guidelines that are enforced" (from the homepage).


I also like .plan files and finger

nice! I've wanted to establish something similar but also the ability to tag thoughts. I have thick binder-clips of post-it notes with a similar function but how do I explore them later beyond timestamp order? Also: voice notes with a similar issue.

Nice idea, clean and fast (minimal) page, good overall execution, excellent pricing model (hope it covers their running costs) but I see a small problem with moderation and people abusing this service to post inappropriate material.

What's the purpose of not capitalising the first letter of each sentence? They really commit to it since even the tos and privacy pages are written like this. In case it's not obvious, it's less readable that way.

Probably to give the impression of hastily scribbled down thoughts and ideas.

A platform where I self-censor my real thoughts for some signaling purpose, neat.

How would this be different than a Twitter account with replies disabled?

sorry to crash here, but I've made a version of it before. If people want try and give some feedback: https://logfile.app

Doesn't scale properly on mobile (android, chrome), don't know if that's super important though.

Thanks for bringing it up. Will update soon. Is it the editor?


I LOVE THIS! I'm going to use it so much

Why not just write thoughts on notion?

has this page been hugged to death? cant access it right now.

Very nice idea

RSS support?


Meh, GitHub pages is free

True, but GitHub Pages requires more time to set up your website: Create a new GitHub account (If you don't have one already), create a repo for your website, create your website, push that website to your repo, and then even that, you still have to set up your website for blogging, which is going to take you from a few minutes to a few days depends on what you use to create the website and how lazy you are.

I just set this blog up in under a minute: https://bachmeil.github.io/blogdemo/

I can edit in the browser using VS Code. I clicked two buttons to set up Jekyll.


How do you edit it in the browser?



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: