[HN Gopher] Show HN: A Chrome extension to see notifications for...
___________________________________________________________________
Show HN: A Chrome extension to see notifications for comments on
your HN threads
Author : unamashana
Score : 65 points
Date : 2021-03-26 11:14 UTC (11 hours ago)
(HTM) web link (chrome.google.com)
(TXT) w3m dump (chrome.google.com)
| unamashana wrote:
| Hey HN!
|
| We made a chrome extension to notify you of new comments on your
| stories and comments.
|
| Once installed, it adds a bell to HN's header and shows new
| notifications in real-time. Clicking on the bell loads a
| notification inbox with easy access to all your notifications
| with a clear distinction between the read/unread ones.
|
| Unlike some other options like HN replies, here are the key
| differences
|
| We don't ask for your email address - we use the HN cookie to
| identify you. There is no setup beyond adding the extension.
| Apart from on-page notifications, you can also subscribe to web-
| push notifications.
|
| We are using HN Firebase API to get a real-time feed of
| notifications, and our startup, [MagicBell (YC
| W21)](https://magicbell.io), to power the notification inbox. We
| built this extension because we found it hard to keep track of
| our [Launch HN
| thread](https://news.ycombinator.com/item?id=26037645) comments.
|
| We want to build a version for Firefox & Safari, and if you'd
| like to know when they go live, please follow us on
| [Twitter](https://twitter.com/magicbell_io). Dozens of early
| users have tested the extension, but if you run into any issues,
| please tweet at us, and we'd be more than happy to help you with
| it. We'd also love to hear your ideas on additional functionality
| you'd like to see.
| gruez wrote:
| >We don't ask for your email address - we use the HN cookie to
| identify you
|
| does this extension contact any servers apart from hn itself?
| unamashana wrote:
| It contacts magicbell.io. HN does not provide an API that we
| can query in real-time to fetch your notifications.
| koolba wrote:
| Why do you need a cookie at all? All the HN comments are
| public so once you've ascertained the handle you can query
| the API for any user to diff for changes.
| gruez wrote:
| I just checked the cookies on hn and there's only one, with
| the format of: user=gruez&[redacted]
|
| Are you sending the entire session cookie, or just the part
| with the username?
| unamashana wrote:
| The entire session cookie to validate your login.
| Unfortunately there is no other reliable way to do.
| gruez wrote:
| That sounds dangerous. By sending the full cookie you're
| allowing yourself to hijack any of your user's sessions.
| That's a big security risk. Is there a reason why you
| need to "validate" someone's login? If someone wants to
| get notified about my comments, so what? There's nothing
| secret about it, they can just go to
| https://news.ycombinator.com/threads?id=gruez and get a
| live feed.
| unamashana wrote:
| While the comments themselves are open, their state in
| your MagicBell inbox isn't. If we didn't have a way to
| validate identity, we won't be able to make sure your
| notifications can't be deleted/marked read by someone
| else.
| usmannk wrote:
| Why not drop a local cookie yourself for state?
| unamashana wrote:
| That doesn't prevent someone from being able to
| impersonate you. The only alternative would be for HN to
| provide oauth access to your profile info.
| jjeaff wrote:
| Perhaps you could hash the session id, with a secret salt
| on server side. Then you could discard the original and
| store and pass along the hashed session id. That way,
| anyone you send it to would not be able to impersonate
| the hn user. You could also hash with a different salt
| before sending to a 3rd party so that they would not be
| able to impersonate someone's account in your extension.
| unamashana wrote:
| Just to be clear, we simply validate your session by
| requesting the page with your cookie and seeing if we get
| a logged in page. We never send your info to any third
| party.
| pvg wrote:
| For the purposes of authenticated interactions between HN
| and the user, _you_ are the third party who now has full
| access to the user 's account. App/extension stores
| generally take a dim view of/outright prohibit this
| because of its high abuse potential.
| linkdd wrote:
| You can claim whatever you want to claim, we
| unfortunately have no way to ensure that this is true.
|
| This is a security hazard, period.
|
| While the feature is nice, and I like the design of the
| notification dropdown, this is a risk I (and probably
| many) won't take.
| pvg wrote:
| Aren't you (magicbell) gaining the persistent ability to
| impersonate any HN user who installs this extension? That
| seems like a much more serious problem than someone being
| able to impersonate your magicbell hn notifications. It
| sounds like you're saying that because HN has no fine-
| grained oauth delegation, it's ok to silently hijack
| users' HN accounts. That can't be right.
| danShumway wrote:
| > That doesn't prevent someone from being able to
| impersonate you.
|
| But why is that a problem? If somebody wants to get
| notified of replies to my comments, let them.
|
| I understand why you need a unique token so that
| collisions don't happen, but that token doesn't need to
| be one-to-one unique with Hackernews usernames. It's OK
| to have two unique tokens that are separate from my
| session cookie that point to me as a user, and to have
| the "read" status be per-token, not per-user.
|
| More to the point, why does this read status and
| everything need to be stored serverside for a browser
| extension? Where are you putting this information where
| you're worried about collisions with random internet
| users, why have it leave the browser at all?
|
| You don't need a unique token if you're not storing
| everything in a centralized location off-device, the
| browser profile that's using the extension is itself the
| unique token. Why does anything need to be transmitted
| anywhere? Let the extension store the read statuses
| locally on my device, then there's zero chance of them
| colliding with anybody else's installation.
| dgellow wrote:
| That's a complete deal breaker.
|
| Also, your chrome web store page says "The publisher has
| disclosed that it will not collect or use your data". But
| you do collect and use users session cookie.
|
| And your linked privacy page has no content (it is
| literally an empty page at the current time):
| https://magicbell.io/privacy-policy.
| unamashana wrote:
| Sorry about the oversight in the chrome store page. We'll
| fix that asap. The privacy policy page has a link to the
| privacy policy hosted by Iubenda if you have Javascript
| disabled. If you have Javascript enabled, the privacy
| policy renders inline.
| dgellow wrote:
| I do not disable javascript but use an adblocker.
| lbj wrote:
| This is awesome. Im an enthusiastically lazy HN commenter and
| I've missed many insightful replies because I forgot to check.
| kevsim wrote:
| We used this extension the other day for our LaunchHN [0] where
| we got 175ish comments. It was super useful, both to get
| notifications in macOS, but also to people able to page through
| the comments and see the read/unread ones. Definitely keeping
| this extension installed!
|
| 0: https://news.ycombinator.com/item?id=26540692
| jack_riminton wrote:
| This is great hacking!
|
| Do you have a blogpost of how you built it?
| unamashana wrote:
| Thank you! No blog post yet but your comment has inspired me to
| write one :)
| Abishek_Muthian wrote:
| Congratulations on the launch!
|
| You are addressing the need gap - 'On-demand Hacker News
| notification'[1] posted on my problem validation platform. You're
| welcomed to explain how you're solving that problem with the link
| to your extension.
|
| [1] https://needgap.com/problems/144-on-demand-hacker-news-
| notif...
| unamashana wrote:
| Thanks! Like you mention on that page, the ability to follow
| threads without having to comment on them would be great. It's
| next on our list of features.
| loevborg wrote:
| If you reply to this comment, I'll get a reply notification via
| Web Push. Blows my mind that adding a realtime feature like this
| through a little extension is even possible.
|
| Impressive use of MagicBell too!
| moreati wrote:
| If you're willing to share your HN username, and an email address
| there's http://www.hnreplies.com/. I've used it for several
| years. Previous discussions
| https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
| j4yav wrote:
| I've always been curious, is there a stated reason why HN doesn't
| have the feature natively? Is it meant to avoid too fast back and
| forth comments or something?
| foodstances wrote:
| It had notifications when YC was funding Notifo, but they went
| out of business.
| dang wrote:
| Yes, and generally avoiding tricks to increase engagement. I
| don't think it was consciously thought through--we just (going
| back to pg) have an instinctive aversion to that. Also, since
| HN isn't a startup that has to grow at all costs, we have the
| luxury of not needing to.
|
| It fits with trying to optimize for (intellectual) curiosity: h
| ttps://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor....
| If something is interesting enough, you'll be motivated to look
| at it. If you're not motivated, probably you're more interested
| in something else and should look at that instead.
| corytheboyd wrote:
| I'd be curious to hear the official reason too! I don't miss
| the feature, really, I don't necessarily want push
| notifications for HN activity, but am just curious!
| asdff wrote:
| For those without chrome you can achieve similar functionality
| with RSS feeds:
|
| https://hnrss.github.io/
| richeyryan wrote:
| Any chance of a Firefox addon?
| unamashana wrote:
| Yes, absolutely! Working on that next. How do we notify you
| when it's ready? You can email me hana [at] magicbell.io and
| I'll email you just once when it's ready.
| alex_g wrote:
| How about a Safari Extension?
| unamashana wrote:
| We'd love to but my guess is Apple hasn't made it easy to
| do :) FF and chrome are pretty close in terms of their
| plug-in architecture.
___________________________________________________________________
(page generated 2021-03-26 23:01 UTC)