fsebugoutzone.org:9999

Post AP42tXbptRWg75nI5Q by noracodes@weirder.earth
(DIR) More posts by noracodes@weirder.earth
(DIR) Post #AP42tXbptRWg75nI5Q by noracodes@weirder.earth
2022-10-29T14:48:17Z

0 likes, 0 repeats

So I figured I’d look into what all Cohost’s webapp entails. This is a bit of a long thread, full of links to copies of what my personal browser receives from their site at this point in time. Strap in!

(DIR) Post #AP42tXzEUSF1HejyYS by noracodes@weirder.earth
2022-10-29T14:48:34Z

0 likes, 0 repeats

Upon loading the profile page, you get an HTML document that is... not the worst thing in the world! You get my header, my profile picture, a bunch of useless button icons (because they&#39;re JS, not forms), and several logos, along with post text and links.Since they use React, I assume this is SSR&#39;d for SEO purposes. If it were possible to log in without JavaScript it would be a pretty acceptable text-mode experience.

(DIR) Post #AP42tYcE9TQvEaz7Kq by noracodes@weirder.earth
2022-10-29T14:48:43Z

0 likes, 0 repeats

This is followed by a CSS “client.&lt;cachebuster&gt;” file (prettyified reference: https://bin.nora.codes/p/zWRHRN.css ) which I assume is compiled from SCSS, since it’s 5500 lines long, followed by no fewer than eleven JavaScript files. They use SimpleAnalytics, and FreshWorks for their bug reporting tool.

(DIR) Post #AP42tYzGlnrgO3lWFc by noracodes@weirder.earth
2022-10-29T14:48:50Z

0 likes, 0 repeats

Now we’re getting to some real content! You get the two images (profile pic and banner) and three localization JSON files – “client.json”, “common.json”, and “server.json”. Client includes things like “post-editor.broken-attachment” describing why your attachment failed to be attached, and “followers.empty”, describing just how lonely your account is.

(DIR) Post #AP42tZORGDzve7XcTw by noracodes@weirder.earth
2022-10-29T14:48:59Z

0 likes, 0 repeats

It also includes warnings about locked and banned accounts, which gives some insight into their moderation tools, and some rather cute names for items (also, emoji as icons, oh no). (ref https://bin.nora.codes/p/g2Vi2l.json)common.json and server.json are similar, but less interesting.

(DIR) Post #AP42tZr9XSxz5AyYEq by noracodes@weirder.earth
2022-10-29T14:49:11Z

0 likes, 0 repeats

After these translation files, we get an Unleash Proxy JSON object (https://docs.getunleash.io/sdks/unleash-proxy), so we know what they’re using for feature flags. Interestingly, Cohost Plus is handled as a feature flag, as are the notification feed and some other things I’m not sure about. You can see my flags here. https://bin.nora.codes/p/Drd8kk.json

(DIR) Post #AP42taHjwcEYPdPmgC by noracodes@weirder.earth
2022-10-29T14:49:59Z

0 likes, 0 repeats

After that comes something interesting. Cohost pages are called “projects”, and projects.json (ref for mine: https://bin.nora.codes/p/lxvMAv.json) includes enough data about all projects associated with your account to fully load the project’s profile page. Yet, when switching projects, you get a full page reload, including this JSON file! All the heartache of an SPA with no benefit, at least not for the users.

(DIR) Post #AP42tajkGUdRoUW9Ka by noracodes@weirder.earth
2022-10-29T14:50:17Z

0 likes, 0 repeats

This is followed by more FreshWorks CSS and JavaScript (didn’t we just see a bunch of that?) and something called FaviconLoader makes some requests for, well, the favicon. (Why not just use a meta tag?) Then we get MORE FreshWorks JavaScript, and finally two more JSON files.

(DIR) Post #AP42tbAgeKBbA37fKC by noracodes@weirder.earth
2022-10-29T14:50:26Z

0 likes, 0 repeats

These JSON objects are the big ones. First, some more user preferences (ref https://bin.nora.codes/p/g5fmPr.json) followed by 144k to communicate the 20 posts on my personal timeline. (ref https://bin.nora.codes/p/6NeiKt.json) This JSON also includes the full post descriptions, not just content and IDs, for the parents of those posts, which explains https://cohost.org/noracodes/post/149377-how-comments-on-sha .

(DIR) Post #AP42tbaD7QbQRD436m by noracodes@weirder.earth
2022-10-29T14:50:34Z

0 likes, 0 repeats

See, Cohost does SSR, which means they’re rendering the whole page on the server, shipping it to me, and then running React to actually make it interactive. That means this rendering process has to be done twice, although the second time won’t actually make any (or, many) changes to the DOM. So comment counts are essentially calculated in the front-end, but the front-end sometimes runs in the back-end.

(DIR) Post #AP42tbzjaX1FiN0QtM by noracodes@weirder.earth
2022-10-29T14:50:46Z

0 likes, 0 repeats

Anyway. “Full post description” also means all my profile metadata; everything about me and all the posters I’m communicating with is included, in full, multiple times, in the resulting JSON blob. That means it’d be pretty easy to write a robust client using only that feed. It also means I kind of see why the site is so goddamn slow. (It’s also a nice telltale that they’re using GraphQL.)

(DIR) Post #AP42tcQJzgHp2pRfKi by noracodes@weirder.earth
2022-10-29T14:50:56Z

0 likes, 0 repeats

Finally, once the page is loaded, the client makes periodic checks to an endpoint called login.loggedIn, which tells you if you’re still logged in.

(DIR) Post #AP42tcu6Cy6cXBNRkO by noracodes@weirder.earth
2022-10-29T14:51:54Z

1 likes, 0 repeats

Overall, it seems like a pretty bog-standard taped-together React app. It’s definitely no worse than MastoFE or Twitter, but it’s bloated as hell compared to just about anything that isn’t a full React app. The UI polish is there, the performance polish isn’t. I’m sure it’ll come with time.For a group called &quot;anti software software club&quot;, they&#39;re pretty clearly just reproducing existing patterns. It&#39;s not anti software, it&#39;s just software.Thanks for reading!