return to table of content

Show HN: I saw this mind-blowing experiment, so I made a simple version of it

munch117
13 replies
21h52m

Am I the only one that's horrified that window.screenX and window.screenY exist? This is not information that I want to provide.

zer0kool
5 replies
20h23m

Sorry, i'm a little lost. I tried thinking about it, but I can't think of any nefarious attacks someone could do with screenX/Y. Why is that such a risk? What could they possibly learn from that other than screen size?

jackewiehose
2 replies
19h44m

Because fingerprinting. Shit like this is the reason you are supposed to use the Tor browser only with a tiny window.

spiderice
1 replies
18h32m

you are supposed to use the Tor browser only with a tiny window

I hadn't ever heard of this. Here is a statement from the Tor project for anyone else wondering what this is about:

We automatically resize new browser windows to a 200x100 pixel multiple based on desktop resolution which is provided by a Firefox patch. To minimize the effect of the long tail of large monitor sizes, we also cap the window size at 1000 pixels in each direction. In addition to that we set privacy.resistFingerprinting to true to use the client content window size for window.screen, and to report a window.devicePixelRatio of 1.0. Similarly, we use that preference to return content window relative points for DOM events. We also force popups to open in new tabs to avoid full-screen popups inferring information about the browser resolution. In addition, we prevent auto-maximizing on browser start, and inform users that maximized windows are detrimental to privacy in this mode
pixel8account
0 replies
7h49m

Fingerprinting by screen size is real. I've checked one day, and it turned out my browser viewport size when maximized is super unique (like <0.1% users unique). That's mostly because I use sidebery (tabs on the left instead of the top) and don't have a (visible by default) bookmarks tab, but wow I didn't expect to be so obvious for advertisers by just reading my page-usable screen size.

munch117
0 replies
19h25m

The fingerprinting potential may well be limited, but it's the principle of the thing: The browser should not provide unnecessary information about its surroundings.

It would be another matter if this was a very useful feature, but I don't think that it is.

Here's one use for it: Ads could sense that they are off-screen and withhold content until the ad is moved back in view. I could easily see screenX/Y being used for that. I mean, I hope not, but how am I going to stop it?

fyokdrigd
0 replies
13h47m

knowing where the window is, you can generate something the user will click on a known position and then at the right time you trigger something like an administrator escalation privilege confirmation dialog and the user clicks that instead.

click jacking is always fun.

progbits
2 replies
21h49m

Using the demo in https://developer.mozilla.org/en-US/docs/Web/API/MouseEvent/... it seems Firefox pretends the window is always at (0,0). So that's nice.

Cyphase
1 replies
18h50m

You likely have `privacy.resistFingerprinting` set to true.

fyokdrigd
0 replies
13h53m

as everyone should!

people forget lesson from recent past. i don't know when google strong armed w3c to include this back... but we had this since ie4 days and then disabled everywhere since it was abused left and right for click jacking attacks.

Andrews54757
2 replies
21h38m

Yep. There are some ridiculous web APIs out there that expose all sorts of things you'd think should remain private. Take the Battery Status API for example [1].

[1] https://developer.mozilla.org/en-US/docs/Web/API/Battery_Sta...

geoelectric
0 replies
20h26m

IIRC, that one and a number of other lower-level “WTF” APIs were introduced for Firefox OS. They made a little more sense in the context of providing an interface for mobile phones using the browser stack.

david_allison
0 replies
21h20m

This would be useful in WebXR (given opt-in)

xeckr
0 replies
21h47m

I just checked, it is possible to override them, which causes them to stop updating when you change the your window's location on the screen.

Filligree
13 replies
18h22m

But… why does it lag? Shouldn’t this be trivial enough to be instant?

taberiand
5 replies
16h50m

Probably because of websocket network lag and also, in my anecdotal experience, window position updates are sometimes strangely jittery

mrits
4 replies
16h15m

Why is it over a websocket? Can't it just share local data?

EGreg
1 replies
16h6m

those were my thoughts too

You can use Broadcast Channels as well as Service Workers, even WebRTC would use a loopback interface!

Zecc
0 replies
1m

This ought to work across different browsers though, for what it's worth. But ultimately it's just a fun experiment.

trevor-e
0 replies
13h25m

It says so right in the OP

The original work by Bjorn Staal used localStorage, but I found sockets more fun, because if tweaked a bit, this can be shared with friends.
raincole
0 replies
16h6m

I might be wrong, but I think the point is to simulate a server-client architecture (to show that it works even for an actual web app).

bawolff
4 replies
18h5m

I wonder if it would be more instant if they used postMessage api instead of going over network.

4death4
1 replies
13h44m

Any local network usage should be nearly instantaneous.

My personal theory about the lag is that positioning the window is not synchronized to the JS thread, so the window moves before the JS thread is aware, which means you see the square move after the window has already moved.

bawolff
0 replies
3h10m

Ah, my bad. I didn't read the code and just assumed there was a far away server.

rco8786
0 replies
13h12m

Going over local network is more or less instant

crabmusket
0 replies
11h53m
akdor1154
0 replies
12h32m

Background windows/tabs getting a lower priority maybe a factor.

Geee
0 replies
9h38m

Querying window position is laggy unfortunately. It's a browser feature.

jocaal
8 replies
21h15m

The available API's on the web are very questionable. Feross has a web security lecture series on youtube where he showed off the following abomination. Enter at own risk.

https://theannoyingsite.com/

lgats
4 replies
21h12m

warning, this is really annoying. imagine you're infected with a ton of adware in the early 2000s you will be logged out of many accounts

here's someone testing it out on Windows a few years ago, but I assure you even in the latest chrome on mac, it's at least as bad https://youtu.be/estvbRSj4LU?si=gq6-l4pWLC9yXqap&t=109

dylan604
2 replies
20h32m

Why would you keep minimizing things instead of closing them? The video just looks like one of those meant to frustrate the viewer into wanting to do it themselves. I blame the creator of that video as much as the site itself. The site itself served a purpose. The person running that video has a much less clear motive

bbarnett
1 replies
19h58m

I think if you close a window, another pops up. Or two.

You should go to this site and test this.

dylan604
0 replies
17h56m

It spawned an app outside of the browser. That's the window being minimized that I meant. I'm not an unawares person to the site's purpose. You're being a bit disingenuous with your reading of my comment

PakG1
0 replies
19h50m

I tried it on Safari private window. It was absolutely horrible. I hesitate to guess what would have happened if I didn't keep clicking cancel whenever it asked if I wanted to allow downloads, etc.

derangedHorse
0 replies
12h46m

holy shit, I was not expecting that LOL

CrimsonRain
0 replies
12h3m

It lived up to its name for sure!!

38
0 replies
17h32m

uBlock Origin has prevented the following page from loading:

    https://theannoyingsite.com/
Because of the following filter:

    ||theannoyingsite.com^$document
Found in:

    uBlock filters – Badware risks

vunderba
6 replies
18h47m

That's a great demo! I'd be curious to see how this would work with multiple monitors.

Also, thank you for voluntarily acknowledging that you were directly inspired by somebody else and giving them credit - the software industry could use more people like you.

stavros
5 replies
16h31m

What, thieves?

Make your stuff from zero, like the rest of us!

zxexz
4 replies
14h21m

Pretty sure this is tongue-in-cheek, given the commenter (pretty high profile dev who creates a lot of cool stuff and does not shy away from using other open source code!) :)

stavros
2 replies
7h41m

Aw I thought it would be obvious :( Thanks for clarifying, of course nobody makes anything without being inspired from something that already existed, at least to a degree.

I guess it's hard to accurately convey sarcasm online, thanks again!

bipson
0 replies
51m

Standing on the shoulders of giants

Sirizarry
0 replies
3h12m

No worries, it was pretty obvious to me

kh0st
0 replies
12h24m

that was super cool of you. Before letting people make the incorrect assumption, you hit em off at the pass. good people right there

bionhoward
5 replies
22h40m

Wow this seems profound, I didn’t even know you could do that, that could be the future of augmented reality if you think about it, layers! Great job!

simbolit
2 replies
22h32m

Could you please expand on your "if you think about it"?

bionhoward
0 replies
4h59m

sure, if you think about the long term usage of augmented reality then we will need to have multiple layers of content {rationale=because we need to focus on one thing in the context of multitasking, because we want to reskin the environment while still maintaining the content, and to avoid unsafely obscuring the field of view during ambulation and manipulation tasks}

Takennickname
0 replies
21h47m

Spoiler: he didn't.

jonhohle
1 replies
22h8m

Is it really different from any multiplayer game? Two view ports, shared coordinates, independent renderers. The “trick” is that the view ports are overlapping, but I would imagine sendMessage might be faster and not require any server round trip.

bionhoward
0 replies
4h58m

I was just trying to be nice, sheesh. happy holidays

placebo
4 replies
21h55m

made something similar 14 years ago...

https://youtu.be/bEwsuWNxdno

domain isn't mine anymore...

whenlambo
2 replies
20h1m

What API allowed that back then?

worldsayshi
0 replies
16h40m

I don't see what is technically new about this? What API has been missing to do this?

Tcp and window.screenTop and screenLeft should get you there right? Hmm, yeah, 2008 is a long time ago though..

placebo
0 replies
19h48m

It was an API I developed using ActiveX on Microsoft's Internet explorer and NPAPI on other browsers

HatchedLake721
0 replies
21h4m

Oh wow, from December 2008.

Here's to no one trying to patent it now!

andybak
4 replies
21h48m

The original seems to be on LinkedIn. Does anyone else find it weird when geek content is posted to LinkedIn? It's the last place I'd think to look. Am I missing out or is this an outlier?

zerojames
1 replies
21h44m

I work in computer vision and like hearing about the latest thing. I have been finding LinkedIn increasingly useful as a way to learn about machine learning.

There are _a lot_ of posts that I have to scroll through of little to no value, but every so often I see a post by Yann LeCun or the lead developer advocate at TensorFlow or a paper someone has liked that catches my eye or a new model release.

"Machine learning LinkedIn", as it were, is a real thing; not sure whether this applies to other disciplines.

Geee
0 replies
9h30m

Yann posts mostly on X.

pixel8account
0 replies
7h46m

I've recently started posting my content on LinkedIn (usually just linking to my blog or publication with a short explanation). Main reason is that I'm a bit unhappy with the new Twitter (a place where I used to share the most), approximately nobody reads Mastodon so I can't stop there, and all least I already have LinkedIn so it's low cost to share there.

cpach
0 replies
21h44m

For sure. It’s approximately the first time I’ve seen something like that on LinkedIn.

no_time
3 replies
21h50m

W-why is window LOCATION exposed to websites? Apparently even in FF private browsing...

At first I thought this is an electron only thing. I get it that we gave up on fingerprinting resistance but this is like pissing on it's grave.

EDIT: privacy.resistFingerprinting set to true fixes the coords to 0

thayne
0 replies
17h54m

On Wayland, a native window can't even get that information. At least not in a way that works across composiotors.

crazygringo
0 replies
21h26m

I'm as surprised as well.

I'm trying to guess why, and can only imagine that at some point the idea was to support multi-window webapps, like maybe you'd have separate windows for documents and different tool palettes, and they'd want to know each other's locations to try to prevent overlaps? I mean, back in the day, framesets were another idea that experienced some popularity before being totally eclipsed by <iframes> -- all of this back in the era when everything was based on the multiple-windows paradigm rather than the multiple-tabs paradigm. Window.screenLeft apparently originated in IE [1].

Just a guess though. Very curious if there's any legitimate reason for it to continue to exist, or whether W3 ought to deprecate it.

[1] https://developer.mozilla.org/en-US/docs/Web/API/Window/scre...

a_wild_dandan
0 replies
21h34m

I thought you meant literal `window.location` and was confused, but yeah `window.screenX/Y` is a pretty suspect feature, now that you mention it.

mholt
3 replies
22h41m
burcs
1 replies
18h48m

I had some fun doing some SQL joins with this:

https://twitter.com/burcs/status/1728081692273823863

worldsayshi
0 replies
16h50m

Okay this one is actually cool. I'm hoping it's not totally one-off scripted but it's fun either way. :)

Kiro
0 replies
21h6m
butz
3 replies
20h48m

I'm wondering about practical application of this demo...

worldsayshi
0 replies
16h37m

Maybe making colour mixing ven diagrams?

sntran
0 replies
15h26m

I have always been fascinated by those sci-fi movies in which a person would swipe up on their tablet, and the current window would fly to another monitor.

This maybe be something that can achieve that.

bartvk
0 replies
8h23m

It would not surprise me if the original practical application is long gone, but it's now used to fingerprint browsers for ad serving purposes.

heavyset_go
2 replies
9h34m

The original work by Bjorn Staal https://twitter.com/_nonfigurativ_/status/172732259457002734 used localStorage, but I found sockets more fun, because if tweaked a bit, this can be shared with friends.

Anyone have a link to what this was? The tweet is gone.

kpandit
0 replies
9h18m

He gives the link on GitHub but here it is (video) https://www.linkedin.com/feed/update/urn:li:activity:7133171...

iamateapot
0 replies
8h47m
aylmao
2 replies
12h42m

I'm old enough to remember a bunch of demos using window position/dimensions from back in the day. I remember one with a physics simulation. I can't remember if it was liquid or just a bunch of solids, but you could drop things from one window to the other.

IIRC you don't even need the sockets. One can simply use message channels between the windows. If a window opens child window, iirc it has special access over it (I say special, because usually different tabs/windows are isolated from one another) which might make a local-only version easy to implement too.

unfunco
1 replies
11h45m
aylmao
0 replies
11h7m

Ah yeah! Browser ball is a classic!

adroitboss
2 replies
21h50m

Two more examples of multiple windows as a single unit. This time on the video game side.

(Ludum Dare 35 Overall Winner) WindowFrame: https://youtu.be/CY7NUHn6GQg?t=273

Window Kill: https://youtu.be/7iP68FZWVxM?t=160

throwaway7679
1 replies
17h33m

Metal Marines, a 1993 game with multiple windows that interact with each other: https://youtu.be/KiiAUP1fG14?t=297

adroitboss
0 replies
2h20m

Thanks! I am adding this one to my list!

Agingcoder
2 replies
18h27m

Could someone explain what this means ? ( I’m not even sure I understand the gif on the GitHub page ) I just see windows seemingly sharing data.

et-al
0 replies
15h50m

The core of the trick isn't the window-window communication as much as using browser APIs to expose the window coordinates.

NL807
0 replies
17h15m

I think it's some kind of multiple client, single server setup. The windows are the individual clients, which pass screen geometry info to the server. The server then serves content to clients with different layout that makes content appear as a single object across multiple windows.

ww520
1 replies
20h1m

That's a fun use of LocalStorage.

I used the same LocalStorage sharing technique to update the target window when the setting had been changed on a separate browser window. Just listen for the storage.onChanged event for the update.

abid786
0 replies
16h31m

I don’t think this is using local storage. There’s a web sockets based server that is sending clients the location of the other boxes as they are moving

sprobertson
1 replies
19h31m

Might as well link to the original / "stolen from" author's equivalent demo with Three.js (open this in multiple overlapping windows) - https://bgstaal.github.io/multipleWindow3dScene/ - and repo - https://github.com/bgstaal/multipleWindow3dScene/

jdthedisciple
0 replies
6h8m

3 days old, twitter one seems 4 days old, who stole from who?

Anyway nice repo, thanks for sharing!

rtcode_io
1 replies
22h22m

Use BroadcastChannel; you don't need no sockets

https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_C...

bigyikes
0 replies
22h3m

Nice, my first thought was to use LocalStorage. Didn't know about BroadcastChannel.

Sounds like OP wanted to use sockets for fun though.

The original work by Bjorn Staal used localStorage, but I found sockets more fun, because if tweaked a bit, this can be shared with friends.

Who among us hasn't overcomplicated things for fun? :)

p-nerd
1 replies
18h43m

Really great. The web is really going forward

bottled_poe
0 replies
12h52m

Seems like this was all possible 10+ years ago with existing APIs at that time. I don’t see what’s so special tbh.

kaycebasques
1 replies
22h4m

Very cool. What's the working title for this interface / experience?

system2
0 replies
18h1m

LocalStorage API.

gmueckl
1 replies
21h13m

Does this work on Wayland?

HellsMaddy
0 replies
17h12m

Tested on Sway with both Firefox and Chromium. Resizing works (no surprise) but the position doesn't work. window.screenX/Y always return 0.

doctorhandshake
1 replies
22h53m

Cool! Feels like whichever window has focus, that window’s rectangle should draw on top.

benj111
0 replies
19h25m

Isn't that just to illustrate that it isn't just transparency?

sshh12
0 replies
18h56m

Reminds me of a cool demo of this for playing pong with browser windows http://stewd.io/pong/

oniony
0 replies
7h36m

I love stollen. It's one of the few aspects of Christmas I actually look forward to.

nikeee
0 replies
14h40m

You can use a BroadcastChannel to send messages between the Windows directly. This should reduce latency when working locally.

jakegmaths
0 replies
9h57m

Here's something similar I made yesterday. Just view source of the controlling page and the pop-up pages for how it works (single page with inline vanilla JavaScript and no npm install nonsense). Just uses postMessage(). https://cms-compsci.deno.dev/mrgordon/window/

itronitron
0 replies
21h8m

This, or something similar, would be nice for managing layers in a paint program such as Krita, Inkscape, or Gimp. Could be implemented simply as tabbed panes within the encompassing application window, and whatever tab is selected is the layer that is active for the editing actions.

hot_gril
0 replies
21h0m

This reminds me of a project I did in school, a multi-user web browser. You could both control the same window's size, scroll position, and other state on each other's screens. The intended usage was having 2+ windows side by side.

hoosieree
0 replies
17h34m

what fresh pop-up/pop-under hell even is this?!? I specifically asked for not that

faloppad
0 replies
10h19m
bdcravens
0 replies
13h47m

Love how simple the code is, with almost no external dependencies

awei
0 replies
17h37m

I love the concept and the demo! Amazing creative work

arshxyz
0 replies
8h19m

The devs behind tldraw also played with this to create something cool - https://twitter.com/steveruizok/status/1727625036159234555

amelius
0 replies
5h31m

The mind-blowing part is not that this works, but that it is secure.

aantix
0 replies
22h35m

Or a postMessage could be used if one tab is opened from the other.

Simran-B
0 replies
8h5m

If you like this, you might also enjoy WindowKill, a video game similar to Asteroids that cleverly uses windows that can overlap and interact with each other.

You need to shoot at the window boundaries, too, or the window shrinks. Additional windows appear later in the game with boss enemies.

Gameplay video: https://youtu.be/7iP68FZWVxM

38
0 replies
22h54m