Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Yokohiii a day ago

> I'm guessing that a lot of cynicism here is coming from

...the fact that CF just dumps tokens to generate some slop to compete with the single biggest web platform and casually adding a vendor lock in. It's just buzz, an inexpensive attempt to grab a valuable market share.

If you set security as a selling point for EmDash, then I am baffled. The WP lock file has 30k lines, the brand new EmDash has 16k lines, but it LESS verbose yaml. JS is the cornerstone of anti-security that WP couldn't dare to compete with. The plugin isolation is also bogus, WP plugins are insecure because they have all access to everything, but they need at least some, mostly DB, how is that even solved? Isolation does shit there.

I am not a fan of WP, but CF doesn't even try to get this right.

thedevilslawyer a day ago | parent [-]

Frankly, you're wrong. This is a fundamentally better plugin architecture that WP, and if you can't see it, then it's your understanding of security that's not right.

Yokohiii a day ago | parent [-]

If you have arguments, then make them. This is just saying stuff for the sake of it.

thedevilslawyer a day ago | parent [-]

The post literally does that. it talks about how plugin access to core is handled. So to be explicit: if you don't see that as a very significant security improvement over WP's open world, then it may help to understand why. The post also talks about WP ecosystem downside due to this.

Yokohiii a day ago | parent [-]

  | "network:fetch" // ctx.http is available (host-restricted via allowedHosts)
  | "network:fetch:any" // ctx.http is available (unrestricted outbound —   use for user-configured URLs)
  | "read:content" // ctx.content.get/list available
  | "write:content" // ctx.content.create/update/delete available
  | "read:media" // ctx.media.get/list available
  | "write:media" // ctx.media.getUploadUrl/delete available
  | "read:users" // ctx.users is available
  | "email:send" // ctx.email is available (when a provider is configured)
  | "email:provide" // can register email:deliver exclusive hook (transport provider)
  | "email:intercept" // can register email:beforeSend / email:afterSend hooks
  | "page:inject"; // can register page:fragments hook (inject scripts/styles into pages)
That are the plugin capabilities. I have no clue how it could replace any serious WP plugin. Of course it's secure ;)