Hackerface: Rapportive for HN

[+] jchung|13 years ago|reply

OP (or whoever authored the app), open your manifest.json file, go to line 20, and edit the permissions line to remove the all-domain permissions. Here are your current permissions:

  "permissions": [ "http://news.ycombinator.com/", "http://news.ycombinator.org/", "https://news.ycombinator.com/", "https://news.ycombinator.org/", "https://*/*", "http://*/*" ],

FTFY:

  "permissions": [ "http://news.ycombinator.com/, "http://news.ycombinator.org/, "https://news.ycombinator.com/, "https://news.ycombinator.org/],

I'm not going to read through all of your js to figure out what other domains you really need. Kudos on the idea -- I like it. Just not ideal to ship an app to this audience with the unnecessary security nail-biter during install. Fix and push and you should be good to go.

EDIT: Format

[+] taskstrike|13 years ago|reply

The reason it needs all permissions is that some people have their own pages and the data is on there. So you might need permission to crawl those secondary pages for twitter and github (?)

At least I think that's how it works. I could be wrong.

[+] Timothee|13 years ago|reply

While I agree with your point, the extension will need permissions for all the sites it's contacting besides Hacker News (Twitter, LinkedIn, etc). I'm guessing Gwendall figured he might as well put a lax permission while developing to make it easy on him. It'd still be a good time to clean this up.

[+] mmahemoff|13 years ago|reply

hackerne.ws should also be whitelisted.

[+] olalonde|13 years ago|reply

On a related note, what is a quick way to view an extension's source code without actually installing it?

[+] terhechte|13 years ago|reply

I didn't install it, even though I like the idea, because it wanted access to 'data on all websites'. I don't know whether Chrome allows more permissive permissions (like only HN), but trust is a rare good and I wouldn't allow a random extension to see everything I browse to.

[+] randomchars|13 years ago|reply

It does allow permissions for specific site. I'm not sure how it works it might be needed so it can get the data from external sites.

[+] julien_c|13 years ago|reply

You can always read the extension's source to see what exact data it's using and where it sends it to.

[+] startupslayer|13 years ago|reply

Same reason I didn't install

[+] mullr|13 years ago|reply

Might want to dial back the requested permissions on the manifest, you're asking for access to 'data on all websites' right now.

[+] justindocanto|13 years ago|reply

Agreed on this.

Also just adding a comment to test this plugin out (requires hovering over a username)

[+] ges|13 years ago|reply

Gwen here, I am building hackerface. Didn't quite expect it to land here before I do some more testing but here it is! Re. the "all permissions" thing, it is required to circumvent the same domain origin policy since the plugin does bunch of GET requests to external websites to find information about you. Working on improving the results and some nice new features right now.

[+] typpo|13 years ago|reply

Thanks for the great extension! My suggestion is to move extraction to your server, which would solve the permissions and same origin policy problems. We'd only have to give permission for your website, and as a bonus you can cache extraction for quicker results.

[+] robbiemitchell|13 years ago|reply

Hey Gwen, do you plan to enable people to correct the info? Somehow my account is being combined with someone else's stuff--the person who created the Tumblr theme that my personal website uses.

[+] heelhook|13 years ago|reply

Can't you embed the javascript in the DOM as a <script> and run jsonp from there in order to circumvent the same domain issue?

[+] styluss|13 years ago|reply

Is it easier to develop extensions for chrome than it is for firefox? I'm a firefox user and only find this kind of extensions for chrome. Or are all the cool kids using chrome these days?

[+] fingerprinter|13 years ago|reply

I've developed extensions/plugins for both browsers. Chrome is way easier, but not as powerful. Firefox is much more obtuse, but also much more powerful.

In practice, I found developing for Chrome much more enjoyable. Developing for Chrome felt like modern development whereas developing for Firefox felt very heavy, verbose and overall frustrating.

[+] ollysb|13 years ago|reply

We've been using crossrider.com for our plugin. It let's you write the code once in javascript and then it packages the plugins for IE, chrome, firefox and safari. They've been out of beta for a while now so it's pretty solid. It's also free! (and no I don't work for them :) )

[+] lmm|13 years ago|reply

All the cool kids are using chrome. I believe it recently overtook firefox in overall marketshare too.

[+] pbiggar|13 years ago|reply

A good start, but I think it misses the things I like about rapportive. The most important thing in rapportive, IMO, is that you see a picture of the person you're responding to. That causes you to respond to a person, rather than just a "user" or "email address" - it forces you to acknowledge the person at the other end, and encourages empathy for them.

This should automatically tell me the person I'm responding to if possible, and show me a picture and context then. A picture (or gravatar) next to their username would also be cool.

[+] ges|13 years ago|reply

It does load the profile of the person you reply to automatically now (refresh your chrome extensions page).

[+] olalonde|13 years ago|reply

I did something similar a while ago albeit much less complete: http://syskall.com/hn-crunch-greasemonkey-script-for-hacker-...

It adds a little picture and info bubble next to the username of HN members who have a CrunchBase profile (I manually compiled a non-exhaustive list here: https://github.com/olalonde/HN-Crunch/blob/master/hn.php#L5).

[+] moeffju|13 years ago|reply

The script breaks on trying to view my own profile. The error is: "Uncaught TypeError: Cannot call method 'split' of undefined" in chrome-extension://daljejehnbbbhjlecjgafnnfgilbkdhj/script.mini.js:32

It also affects my userstyle for the topbar. Please don't break page styles :) Namespace your CSS.

Also, please fix your permissions as noted by jchung and others. I installed the extension only on my Chrome Canary because I was too lazy to check the entire JS for security problems (or malicious intent).

With some fixes however, this would be really nice to have.

[+] CWIZO|13 years ago|reply

When I try to lookup myself all I get is "Found HN profile..." and that's it.

[+] citricsquid|13 years ago|reply

Same problem here, although I can find your profile now. I wonder if it's relying on an external service and it takes time to generate. Maybe my name will work in a few minutes.

edit: oh, maybe the problem is to do with the logged in users profile is different (inputs vs. display) and because it's fetching locally it's seeing the edit fields?

edit edit: I think that's it! I logged out and I can fetch my profile fine.

[+] artagnon|13 years ago|reply

Same issue here. I had to logout to see my own profile.

[+] olalonde|13 years ago|reply

Any plan to open-source this?

edit: After some digging I found this non-minified version on Github: https://github.com/Gwendall/hackerface/blob/gh-pages/script.... No license info though...

[+] jaddison|13 years ago|reply

Looks like that link has been taken down - the repo replaced by a newly initialized one.

[+] slajax|13 years ago|reply

He took the code down. Bummer. Would have really liked to update this so it works better with my other HN extensions.

[+] jenius|13 years ago|reply

Brilliant, this is exactly what I was after. Super interested in how this works!

[+] Timothee|13 years ago|reply

Very well done!

Besides the all-domain permissions which you might want to constrain a bit, I'd also remove the button which doesn't do anything. Chrome lets me hide it, but you could make me forego that step too.

[+] fredley|13 years ago|reply

It would be nice to have an easier way to view your own profile (I expected this when I went to my profile page, but it didn't happen).

[+] Xorlev|13 years ago|reply

Fancy, but as you may have discovered, blind link traversal is likely to come up with tons of really bad data. If you follow a Google Plus link, you'll inevitably get your own Google Plus information.

The company I work for does this as an API and I know the challenges behind it, so for a JS project, nice work!

[+] nicolethenerd|13 years ago|reply

Aha! That explains why for some users, I'm seeing them listed as having my own e-mail address.

[+] kingsley_20|13 years ago|reply

When I attempted to "facebook like" this page, the preview displays "Find MSN Hotmail Hacker, Cash Advance and more at Hackerface.com. Get the best of Debt Consolidation or Insu...". OP might want to fix that.

[+] instakill|13 years ago|reply

Quite cool, but when are you planning on changing the permissions?

[+] josegonzalez|13 years ago|reply

You should use localstorage to cache the results of your get requests.

[+] unknown|13 years ago|reply

[deleted]

[+] brianr|13 years ago|reply

Permissions issues aside, this is really awesome. Great work!

[+] yesimahuman|13 years ago|reply

Super cool, great job. I know I'l be using this extensively.

[+] ejpastorino|13 years ago|reply

I cancelled the installation when it askedd for permission to acces "your data on ALL websites". It would be great to limit it to news.ycombinator.com and just the sites it really needs to access. Why is it done this way?

63 comments