zlacker

Mostly agree. The screenshot in the top right looks good, like professional app I might actually use. But I want to actually browse the site and check it out without first slogging through a registration process. If it’s free to view/browse anyway, then enable doing that without registering. Register and pay if you want to post.

Edit: You can browse without registering after all, here’s the link: https://non.io/#all (didn’t see it on the landing page or OP post).

>>SkyMar+(OP)
Oof, I clicked one of those posts and immediately lost all back-button functionality to an endless stream of history events.

>>neogod+L5
Was it the "Daniel's Site" post? There's some weird interactions I'm finding with that iframe'd html upload and the history events.

>>jjcm+K8
As someone who dealt with payment iframes in SPAs I'm so happy I don't have to use any iframes nowadays. There are a few articles how you can "kind of track" when the iframe caused extra history entries then you need to increase your back navigation by the count of them, it was a mess back in the days so not sure how is it solved nowadays.

>>SkyMar+(OP)
The fact that this isn't on the landing page doesn't bode well for a 4 year old project.

>>willio+lL
Too harsh. That's normal if it's only now seeing light of day.

>>SkyMar+(OP)
The marketing page is not readable on mobile either.

>>thalli+pU
On Firefox Android, I could read the landing page and browse afyer creating an account.

I was not able to create an account. (I had to go desktop)

>>javajo+rN
Are you being serious? The landing page had 1 job and it failed at doing it. I'm all for reddit alternatives but c'mon, a page showing off a product that fails to clearly link to said product is just funny.

>>jefoza+oG
Today you can still use iframes but most gateways now provide a tokenization api that provides the form to produce the tokenized cc. Afaik tokenized cc isn't falling under PCI.

My big issues with iframes is the checkout process which inevitably has to make callbacks to your api with the results of the transaction. If you're behind any sort of firewall (like most businesses are) you're in for a world of http pain.

>>SkyMar+(OP)
Aaanndd it's instantly overrun with spam

>>neogod+L5
I tried right clicking to open the link in a new tab, and found I couldn't. What is it with these bespoke browsers written in JavaScript?

>>alvare+X21
FF iOS here, front page loads but you get a zoomed in desktop view. Zooming out causes reloads.

>>SkyMar+(OP)
The ui feels like it was designed for mobile as well, everything is on the far edges of the page and the center is entirely blank space unless you resize the window to be smaller horizontally

>>_madma+Ud1
The payment gateways still use iframes, they just don’t tell you that.

This is also why styling such forms is always some species of wonky.

>>neogod+L5
Also, when I visit the #all page I get two weird window.alert()’s, first says 5, second says 1. I’m on mobile Safari now so can’t really investigate, but is the site getting script injected??

>>oefrha+Lb3
Yes, the site is vulnerable to XSS, couple of interesting payloads on there so far

The current top post uses this XSS to have users upvote it:

<img src="a" onerror="soci.postData(String.fromCharCode(112,111,115,116,116,97,103,47,97,100,100,45,118,111,116,101),{post:String.fromCharCode(120),tag:String.fromCharCode(120)})">

Which sends a POST request to `posttag/add-vote` for the post labeled `x`

>>Wesoly+iA2
The gateways I use don't, or at least give me the option not to.

Those iFrames cause all kinds of headaches when the user hits the back button or double clicks a submit button or does any number of other things that happen thousands of times a day on a moderately high traffic site, and when it messes up you either miss out on a sale (ouch) or charge the customer twice (double ouch).

>>Antony+Kd3
I suppose that makes sense if you get payed for upvotes, stored xss is probably just the most low hanging fruit, if they messed that up I'd expect everything from csrf, clickjacking, sqli and more, everyone has the incentive to look and exploit. They should probably get a thorough white box review.

>>abhibe+Ti3
> The gateways I use don't, or at least give me the option not to.

They usually don't tell you they do. For example, both Stripe and Square use iFrames; otherwise it's not possible to hide credit card entry from your main application.

There are gateways that redirect you away and return you back after payment, but that's a whole another story.

>>Wesoly+cM3
You're right, but it's worth noting that the iframes used today are better at hiding the fact that they're iframes, it's usually hidden behind an API call from a library that you import, and that doesn't affect your browsing history, or at least not as bad as those huge forms used in the past that would essentially replace the page you're on for the sake of paying.