HN Reader

The Poison Within Patriotism (renfoc.us)

1 points by rtrigoso 21s ago 0 comments

First bidirectional asymmetric frequency conversion in a single system (phys.org)

1 points by PaulHoule 23s ago 0 comments

Show HN: USDA-linked nutrition API from messy inputs (CLI/Python/REST) (nutrition.avocavo.app)

1 points by acriftphase 55s ago 0 comments

Fuse is 95% cheaper and 10x faster than NFS (nilesh-agarwal.com)

1 points by agcat 1m ago 0 comments

Show HN: PhantomWall – open‑source prompt‑injection firewall and telemetry (github.com)

1 points by phantomwall 2m ago 0 comments

Next slap in European Tech Sovereignty face? (reddit.com)

1 points by hek2sch 2m ago 0 comments

Yoke Kubernetes Package Manager (github.com)

1 points by gtirloni 2m ago 0 comments

Army developing new iterations of autonomous missile launcher (army.mil)

2 points by Bender 2m ago 0 comments

OpenAI's GPT-5 looks less like AI evolution and more like cost cutting (theregister.com)

1 points by rntn 5m ago 0 comments

Configuring GH Codespaces with UV/node + llm tool + free GPT4.1 w/$GITHUB_TOKEN (til.simonwillison.net)

1 points by indigodaddy 6m ago 0 comments

The AI boyfriend ticking time bomb (garbageday.email)

1 points by tempodox 6m ago 0 comments

DeepKit Story: how $160M company killed EU trademark for a small OSS project (old.reddit.com)

2 points by molszanski 7m ago 1 comments

The Houthis want to punish Israel. Filipino seafarers are bearing the cost (washingtonpost.com)

1 points by myflash13 7m ago 0 comments

The Software of Science (mirawelner.com)

1 points by mirawelner 8m ago 0 comments

Automagical JavaScript Programming (crtv.dev)

1 points by speckx 8m ago 0 comments

Out of the frying pan (dot dot dot) (fimfiction.net)

1 points by genderdoog 8m ago 0 comments

Show HN: AI Interoperability to the Max – The Intelligence Hub (theintelligencehub.azurewebsites.net)

1 points by Applied-AI-Dev 9m ago 0 comments

How Does a Blind Model See the Earth (lesswrong.com)

1 points by dannyobrien 9m ago 0 comments

Zapstore, Android app store powered by your social graph (zapstore.dev)

1 points by fiatjaf 11m ago 0 comments

The Secret HQ of Synchron, One of Neuralink's Biggest Competitors (pcmag.com)

1 points by walterbell 13m ago 0 comments

Show HN: Use AI to analyze GitHub profiles and repos, and their code (gitsage.dev)

3 points by adamthehorse 13m ago 0 comments

The Bidirectional Stream Processor: Why Pull Beats Push for Crash Recovery (blog.epsiolabs.com)

1 points by dkgs 15m ago 0 comments

We built a live scoreboard for developers. Now 1k+ devs are competing on it (entelligence.ai)

5 points by Arindam1729 16m ago 0 comments

Un-Exceptional US Stock Market Earnings? (elmwealth.com)

1 points by crcastle 17m ago 0 comments

Amazon Launches Same-Day Fresh Grocery Delivery in 1k U.S. Cities (wsj.com)

2 points by bookofjoe 18m ago 1 comments

First EV powered by a semi-solid-state battery cleared for sale (electrek.co)

1 points by dabinat 21m ago 0 comments

Show HN: FakeFind – Free Fakespot Alternative and Amazon Review Checker (fakefind.ai)

1 points by FakeFind 21m ago 0 comments

Job Listing Site Highlighting H-1B Positions So Americans Can Apply (newsweek.com)

4 points by walterbell 23m ago 0 comments

Doctors Were Worse at Spotting Cancer After Leaning on AI, Study Finds (gizmodo.com)

3 points by mikece 23m ago 0 comments

nfjdj

1 points by kwie 25m ago 0 comments

AI Is Different (antirez.com)

2 points by grep_it 25m ago 0 comments

Ask HN: Dotcom Stories

2 points by kwie 26m ago 0 comments

Google Play Store Bans Wallets That Don't Have Banking License (therage.co)

7 points by madars 28m ago 0 comments

Crypto Firm "Bullish" Surges 143% in Debut After $1.1B IPO (bloomberg.com)

1 points by petethomas 29m ago 0 comments

Pyx: A Python-native package registry, now in Beta (simonwillison.net)

2 points by amrrs 30m ago 0 comments

Che, Fidel and Christopher Columbus (english.elpais.com)

1 points by PaulHoule 30m ago 0 comments

How Silicon Valley can prove it is pro-family (thenewatlantis.com)

5 points by jger15 30m ago 0 comments

Data Center VXLAN Overlay Visibility at Scale (kentik.com)

2 points by oavioklein 31m ago 0 comments

PYX: The next step in Python packaging (astral.sh)

23 points by the_mitsuhiko 32m ago 13 comments

Ranking the 25 Top Venture-Backed AI Companies Growing Fast in 2025 (greenflagdigital.com)

1 points by josephjrobison 33m ago 0 comments

Show HN: Tool that helps you generate startup ideas people need (rkaching.com)

2 points by rokbenko 33m ago 0 comments

GPT 5?

1 points by stasElegant 38m ago 3 comments

What Happens When You Register a Domain (and Why Owning a TLD Is So Hard) (prashants.in)

3 points by prashantsengar 39m ago 0 comments

Dear Android Engineers (firebender.com)

2 points by kevo1ution 40m ago 1 comments

How to Marry a Silicon Valley Millionaire / Part 3: You Got Your Catch. Now What (sfgate.com)

1 points by jdcampolargo 41m ago 0 comments

Apple Plots Expansion into AI Robots, Home Security and Smart Displays (bloomberg.com)

2 points by throwfaraway4 43m ago 1 comments

US national debt reaches a record $37T, the Treasury Department reports (apnews.com)

9 points by atombender 44m ago 3 comments

The serverless compute to database connection problem, solved (vercel.com)

2 points by cramforce 44m ago 0 comments

We Hit 100% GPU Utilization–and Then Made It 3× Faster by Not Using It (daft.ai)

1 points by DISCURSIVE 44m ago 0 comments

29 years later, Settlers II gets Amiga release (gamingretro.co.uk)

40 points by doener 45m ago 8 comments

Cross-Site Request Forgery

28 tatersolid 4 8/13/2025, 5:31:08 PM words.filippo.io ↗

Comments (4)

akersten · 2m ago
I'm not really grokking the explanation in the article of why the SameSite cookie attribute doesn't fix CSRF. I thought that was the whole design intent of SameSite=Secure on an HTTPS cookie, was to fix CSRF. Can someone boil it down?

The article seemingly says "these cookies won't be sent with an unsafe request. But that doesn't fix it!" And doesn't elaborate?

MajesticHobo2 · 3m ago
Not sure I agree with this part:

> Allow all GET, HEAD, or OPTIONS requests.

> These are safe methods, and are assumed not to change state at various layers of the stack already.

Plenty of apps violate this assumption and do allow GET requests to alter state.

nchmy · 49m ago
i just discovered the Sec-Fetch stuff recently, due to Go 1.25's changelog. Very excited to start using it in some applications where tokens are currently used - what a hassle to deal with those.
jerf · 32m ago
Cookies have been truly horrible. I check in on them every couple of years, because I don't do a lot of front-end but when I do it's often security-sensitive, and every single time I check in on them there's some new entry in "SameSite; NoSeriouslySecureHarder; WhoopsTheLastStandardWasNotGoodEnough=BeActuallySecure; AwwShitDidWeGetItRightLastTime=false" parade of attributes you need to send to get actually secure cookies.

No shade on the people implementing this stuff, I understand the backwards compatibility concerns, but I mean, keeping up with this stuff is harder than it should be. And thanks to backwards compatibility most of it still defaults open, though browsers have pecked at that as they can.