we've come full circle. they've invented rust to do servo with it.

even the ai gets lost in the parenthesis

why would the browser ever expose extensions api to a web page. does firefox does this as well?

The "The Attack: How it works" section explains how it works. It's not an API.

I am a little surprised something like CORS doesn't apply to it, though.

So these extensions allow linkedin to do this though, it's literally them saying "yes, this site can ping this resource" - called "web_accessible_resources".

This is fair from Linkedin IMO as I've seen loads of different extensions actually scraping the linkedin session tokens or content on linkedin.

It's not the extension developer who should decide this, but the browser user.

On what would the browser user base their decision?

If an extension injects an icon into the DOM of the page, then the resulting `img` tag needs to put something in its `src`.

The extension author may choose to use the `data:` scheme, but that's a development-time decision.

> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions.

It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.

edit: I answered before I go fully through the article but it does say it's only Chrome based.

> The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.

> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

Firefox uses UUID for the local extension url per extension so you can't search for hardcoded local urls.

> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

From "The Attack: How it works", its just checking the user agent string:

function a() { return "undefined" != typeof window && window && "node" !== window.appEnvironment; }

function s() { return window?.navigator?.userAgent?.indexOf("Chrome") > -1; }

if (!a() || !s()) return;

I was under the impression Firefox randomises extension IDs on install, so hopefully not?

they seem to be calling `chrome-extension://.....` so i don't think it applies to firefox

well it is a microslop product, what do you expect?

Double Commander. It is awesome.

go freely on Linux. did that switch myself few years back. Double Commander is an exact copy with the same (and configurable) shortcuts.

if it weren't for HN i would get a glimpse how life is on bluesky

what's with this tailscale thing everybody is talking about like it being a cure to cancer.

what's wrong with good old wg alone?

It has excellent built-in NAT traversal (almost always peer to peer via hole punching etc., with relay nodes only when everything else fails) and a point-and-click management plane (but also powerful ACLs if you need them).

The former is mainly what I use it for. Being able to SSH to a Raspberry Pi behind sketchy triple-NATted hotel Wi-Fi or being able to use an Android phone in a different country as an "exit node" for online banking (many banks hate commercial VPNs) is very neat.

I have machines on 3 cloud providers and 2 sites that talk to each other via it, plus a seamless mobile experience. It sets everything up for you, zero hassles.

amen

FCC is "physics" equivalent of easter island statues. Useless resource sink with no perspective productive outcome whatsoever.