Oh god - I hope I don't have to write a follow-up to this. There's probably a bunch of hidden other firewalls I don't handle but most often I've found 403 and 503 to be the most common.
Just look under this thread, I wrote one possible solution of using .innerText from constructed DOM. (Or maybe open window in another domain). However @repiret may be right - corporate proxy is already invasive enough, that means the users are already in mercy of those.
But still, I'd go with safer practices. Even in the slightly unlikely case someone manages to hack 3rd party (Stripe) and send your users arbitrary HTML for some periods of time... :)
Hey, me too! Thanks for writing up your experience and publishing it btw.
I think you did a great job cementing the "why"—usually this topic is very hypothetical. I also liked how you tied it to real end users. After all, that's who the internet is for!! [1]
My intention wasn't to criticize your post. I hoped my comment would help one or two readers recognize the underlying problem space a little sooner, which might help them learn a more broadly applicable lesson when the time comes.
Yeah, I can't believe how stupidly locked down some of these networks are.
I once had an employer said they needed a "whitelist" of websites we wanted to visit instead of a "blacklist" of ones we shouldn't. That was an interesting day...
We run a Saas and someone wrote an email saying that our server was down, and when we'd expect it to be up. Not having had a notification, I double checked from a couple of geographic locations that our application was indeed up and responding.
After a bit of investigation, it turns out that they have to whitelist every unique address with their corporate IT. And had only whitelisted our primary client-app URL (talks to a couple of different API endpoints), hence the strange error message.
It's been a long time since I've worked somewhere with whitelisting.
> We run a Saas and someone wrote an email saying that our server was down, and when we'd expect it to be up. Not having had a notification, I double checked from a couple of geographic locations that our application was indeed up and responding.
I’m dealing with this now. Company got hacked and so now are over the top locking down everything to the point it’s unusable. I told them the other day that the most secure thing they could do is just turn it all off.
Product idea is really simple - you can set up a Thankbox (like an online card) for someone and share it within your group of friends to put messages, images, gifs and cash in it. You then send it to the recipient.
We wanted to add a feature where the recipient could respond to everyone who had left messages on their card - a kind of "Thanks so much for your kind words" type thing.
We rolled it out to production. The first time it ran it spammed everyone who had ever left a message on any thankbox with the response. Luckily we just launched and we didn't have that many users.
I thought it'd be a learning experience worth sharing, though, so I wrote up a Twitter thread about it to share my embarassment as a learning experience.
Same thing is happening with the UK furlough scheme. Government is paying 80% of people's salaries while they're off work but some employers are actively defrauding the scheme and telling those people to work...
>And welcome to the frontend
Thanks! I can't believe it took me so long to embrace it haha.
Yeah, so anyone that adds a message to a Thankbox can leave their email in order to get a link to edit their message before the box is sent. This is optional - I really only aim to collect data that's necessary.
I'm currently working on a feature to allow the recipient to respond to everyone who contributed (if they left their email) which I think would address what you mention.
