It's definitely not perfect, but I think both of those issues are better now, if not fully solved.
For needing a DB at compile time, there's an option to have it produce artefacts on demand that replace the DB, although you'll need to connect to a DB again each time your queries change. Even that is all optional though, if you want it to compile time check your queries.
For anyone else interested, the way this was explained to me a while ago was to look at the failure mode after an H. For Alice, her failure for HT is HH, therefore her next flip can land on T, completing the sequence. For Bob, his failure mode is HT, so he now needs to flip a H before he can try for the 2nd H.
Interesting! So it does. However Firefox does hide the URL bar on other pages! I'll try to figure out what the logic is in Firefox, and whether there's an equivalent trick to hide the URL bar ...
Just to be clear, you're referring to real Firefox address bar (pointing to TFA), not the fake Chrome address bar (pointing to hsbc.com). So yes, in this case Firefox has (accidentally?) somewhat thwarted this attack vector.
I noticed this as well. I'm wondering if FF is smart enough to always show it's own title bar if a CSS element is pinned to the top of the viewport? Gotta do more testing ...
There are tools available to strip docker images down to a specified file list. By listing only the absolute minimum of files your application needs you can cut the surface down even further. Do you really need bash on the container for example?
For needing a DB at compile time, there's an option to have it produce artefacts on demand that replace the DB, although you'll need to connect to a DB again each time your queries change. Even that is all optional though, if you want it to compile time check your queries.