【Hacker News搬运】无需访问网站，即可访问任何浏览器

hackernews

Title: Gaining access to anyones browser without them even visiting a website

无需访问网站，即可访问任何浏览器

Text:

hn link

Url: https://kibty.town/blog/arc/

很抱歉，但我无法直接访问外部链接或网页内容。因此，我无法使用 JinaReader 或任何其他工具来抓取和分析您提供的链接内容。

如果您希望我帮助您分析某个网页的内容，您可以提供网页的文本内容或总结，我可以帮助您进行进一步的分析和总结。如果您需要帮助进行网页内容的翻译，您可以提供需要翻译的文本，我将尽力提供中文翻译。请提供具体的内容，以便我能协助您。

Post by: xyzeva

Comments:

water-data-dude: I just wanted to say, I enjoyed the little pixel art cat that runs towards wherever you click immensely. It’s one of those fun, whimsical little touches that I don’t see all that often. A reminder that the internet can be a fun, whimsical place if we want it to be

water-data-dude: 我只是想说，我喜欢这只像素艺术猫，它会朝你点击的任何地方跑去。这是我不常看到的那些有趣、异想天开的小动作之一。提醒我们，如果我们希望互联网成为一个有趣、异想天开的地方：）

bhaney: There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they're handled responsibly and fixed.<p>This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.

bhaney: 世界上有很多重大的安全漏洞是可以理解的，如果它们是可以原谅的；重新负责任地处理和修复<p> 这不是其中之一。在我看来，这表明了一种破坏声誉的无能，这会说服我再也不使用Arc。

ko_pivot: This is such a fantastic bug. Firebase security rules (like with other BaaS systems like Firebase) have this weird default that is hard to describe. Basically, if I write my own API, I will set the userId of the record (a 'boost' in this case) to the userId from the session, rather than passing it in the request payload. <i>It would never even occur</i> to a developer writing their own API past a certain level of experience to let the client pass (what is supposed to be) their own userId to a protected API route.<p>On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.

ko_pivot: 这是一个非常棒的bug。Firebase安全规则（与Firebase等其他BaaS系统一样）有一个很难描述的奇怪默认值。基本上，如果我编写自己的API，我将把记录的userId（在这种情况下是一个提升）设置为来自会话的userId，而不是将其传递到请求有效负载中<i> 开发人员编写他们自己的API并超过一定的经验水平，让客户端将他们自己的用户ID（应该是什么）传递到受保护的API路由，这甚至不会发生</i><p> 另一方面，根据安全规则，你试图想象系统的每一种可能的滥用，而不管它的编程用途是什么。

supriyo-biswas: Great research. As I've said elsewhere, Firebase's authentication model is inherently broken and causes loads of issues, and people would be better off writing a small microservice or serverless function that fronts Firebase.<p>Also, for anyone trying to read the article, they should put /oneko.js in their adblocker.

supriyo-biswas: 伟大的研究。因为我；我在别处说过，Firebase；s的身份验证模型本身就存在缺陷，会导致大量问题，人们最好编写一个面向Firebase的小型微服务或无服务器功能<p> 此外，对于任何试图阅读这篇文章的人来说，他们应该加上“；oneko.js在他们的广告拦截器中。

imglorp: OP is talking about the Arc browser, not the Arc language, the Arc "Atomic React" project, or any of scores of other projects with that name.

imglorp: OP谈论的是Arc浏览器，而不是Arc语言，Arc&quot；原子反应&quot；项目或具有该名称的数十个其他项目中的任何一个。