happy normal thursday of no consequence! as far as we know, nothing else is happening today. just a normal thursday the 20th.
big week this week! jae’s health has been Steadily Improving and so we actually shipped some shit! but first: news on a New Feature, a eulogy for a longstanding bug, and a conclusion to its bounty.
two-factor authentication is going live tomorrow!
two-factor authentication is finally, actually, for real going to ship tomorrow. you’ll be able to find it in your user settings. there’s a note at the bottom of the post for people running bots. if that’s you, read it. if it’s not, don’t read it. or do. whatever.
RIP the CORS image upload bug (we think)
first off: despite firefox claiming this was a CORS problem, it actually wasn’t. thanks to actionable information from @drewbabe, we determined the true cause: poorly constructed URL block lists.
for performance, we upload images directly to our storage provider (Digital Ocean Spaces, an S3-compatible service operated by not-Amazon) instead of routing through our servers on the way. for legacy reasons related to how cloudflare worked, we had to upload straight to Digital Ocean’s domain instead of using one we control.
one of the popular anti-phishing lists available in a number of ad blockers (uBlock Origin, AdGuard, Pi-Hole) consumes a bunch of upstream blocklists, strips the path off of them, and blocks the entire hosting domain. this is Bad because these upstream blocklists are specifically designed to block only a single URL, not an entire domain. to put it another way, the lists are designed to include no false positives — and as a result there’s no way to get a URL off of them — but because of how they’re being consumed, the version you can add to your ad blocker blocks a large number of false positives.
that big list of false positives included three different regions at Digital Ocean, one of which is the one we used (SFO3). for some reason, when this was tripped, firefox reported it as a CORS error, which made discovering the true issue impossible for us.
we now route image uploads to our CDN domain (something we can do because of how fastly works vs. how cloudflare works) so we shouldn’t get blocked again by this list.
an aside: if you’re using this phishing filter list (”Phishing URL Blocklist” in uBlock Origin), it’s broken in such a way that it’s probably breaking a lot of stuff silently. you can keep it on if you want, but if a lot of the web has been subtly broken since you started running an ad blocker, this might be at fault.
we think this was the only issue, but if you’re still seeing problems please let us know.
ran into thecors thing earlier at the end of a long medical form.
"submit" didn't work.
console had cors preflight failure, indicating that some random salesforce domain was blocked. checked network tab, and the OPTIONS request to that domain was blocked, which meant that the CORS request couldn't go through, which meant that form submission to the random other domain was broken.
in the end, I had to disable firefox's privacy protection thing and refresh the page, and redo the form. oops!
