The "unexpected" part is that the browser automatically fills some headers on behalf of the user, that the (malicious) origin server does not have access to. For most headers it's not a problem, but cookies are more sensitive.
The core idea behind the token-based defense is to prove that the origin server had access to the value in the first place such that it could have sent it if the browser didn't add it automatically.
I tend to agree that the inclusion of cookies in cross-site requests is the wrong default. Using same-site fixes the problem at the root.
The general recommendation I saw is to have two cookies. One without same-site for read operations, this allows to gracefully handle users navigating to your site. And a second same-site cookie for state-changing operations.
Didn't it happened once? Southern democrat great electors voted for the republican Vice president, because the democrat vice-president had a non-white wife, and this was forbidden under US law?
Maybe the FrameWork company wants to build something out of the clutches of proprietary software and big corp hardware. And that's fine. Since they don't have the volumes to make enough money they may have to charge more per laptop, which is fine.
But if they want to have me as a customer on these core values (which I'm pretty much aligned with), then they need an additional core value: they need to convince me their higher price is justified. So I want transparency on the way they use my money (and the one of their other customers).
Without that, I'm left wondering if it is not some "green washing".
IOW I'm sure Apple is expensive because it's luxury, I'm sure other laptops are not expensive because they're cheap/sold by millions. But FrameWork, I don't know why their expensive. And repairability doesn't count, design for repairability doesn't make things inherently more expensive I guess.
There's a famous quote that says we all die twice, once when we physically die and a second time when we are truly forgotten by humanity. It's attributed to lots of different people. https://quoteinvestigator.com/2025/10/15/die-twice/
The simplest way to prevent CSRF is to use the Referer header, and that has been used since forever. If the header is missing, you no-op the post. Origin is similar, and can be used with referer as fallback, but it's not needed for most sites.
With prime time I mean being comfortable enough to install it for a non-technical user. Even during Ubuntu's Unity days it didn't feel like I could install it on a computer for my parents or siblings for them to use as a daily driver.
Merry christmas y'all and happy holidays. I can't put in to words how much I appreciate the culture on HN and the conversations I've been a part of. It's the only social media site where I enjoy reading my historical messages, I can see exactly how much I have grown and learned. I am thankful for the moderation and self-moderation.
I will continuing trying to give back in a small way, what the HN community has given me. Happy holidays.
I'm okay with spending 1000 on a screen and chassis, under the impression I upgrade the computer every 2 years. Unfortunately when a mainboard cost $1000, it's cheaper to buy a new machine every 2 years. This shouldn't be the case... Look at the chinese producing MoDT boards with full IO for $300 (likely the same shops who work with framework.
I like framework in the sense that I can ship of thesues my laptop the same way I can with a desktop, but at the end of the day, the premium is outrageous. If third parties start making framework compatible boards I'll buy into the ecosystem.
The FSF isn't here for large organisations. It's here for us, the public. You can't really expect any entity to fund something that isn't in their interest. Even if they did it would be more for a PR piece and they'd cut it as soon as they could. That's why it's important that we (the public) fund organisations that fight for us.
Thank you, but I still don’t understand how to operate this.
I created several products in Stripe for the business of SaaS 1 website, and also created several products for the business of SaaS 2 website— which is a completely different one. However, I noticed that the webhook endpoint of SaaS 1 receives payment events related to SaaS 2, and vice versa.
The problem with LLMs using full-text-search is they’re very slow compared to a vector search query. I will admit the results are impressive but often it’s because I kick off an agent query and step away for 5 minutes.
In languages where placement don't matter, like c/js, I prefer leading booleans. It makes it much easier to see the logic, especially with layers of booleans.
After going through a period in life in which I only survived due to one person who knew me well, and knew how to take care of me, I ran into a group fundraising for an anti-suicide initiative.
I was immediately interested to hear of what interventions the group was spearheading, or intending to. I just couldn't imagine what well meaning strangers could have done that would have done anything but let me know that these were people I wouldn't want to mention my situation to.
Despite my genuine interest, nobody could tell me anything that they were aware of to help people at risk, except circle the strong implicit view that fundraising, fundraising group recruitment, and suicide awareness campaigns enabled by fundraising, are all important ways to combat suicide.
