Comment by dang
5 years ago
I'd love to do that just by offering people a CSS blob that we could inject into their CSS when they browse HN. Our original idea (actually kogir's idea from back in 2014—he's a forward-thinking guy) was that people could create skins this way, if that Winamp-era term isn't too obsolete by now, and share them.
However, someone who is plugged into Reddit told me that they used to allow user-defined CSS for customizing subreddits and had to roll it back because of security issues. They built an entire customization UI instead. That scared me off the idea.
My fear with a customization UI—the HN equivalent of which would be profile settings, as you indicate—is that it would get way too complicated too quickly. How many additional settings would we need?
If someone can define a not-too-complicated set of profile settings which, when filled in to taste, would solve people's dark-mode concerns, I'm all for it. We could even make a separate editor page for it and link to that from the profile. The other constraint is: for each setting, the input format would need to be simple to sanitize (e.g. 'valid hex color'). Otherwise we just create the security issue all over again, only with a shitty nonstandard application-level CSS editor instead of standard CSS.
Reddit's user CSS was different, mods could edit it on subreddits and all visitors would receive it. On HN you'd only get the CSS you've set yourself, so there shouldn't really be a security concern (except for CSRF attacks against the settings form I guess).
Thanks—that's an important clarification, and maybe is the thing to do after all.
Not so fast! Just because the CSS is only served to the authenticated account which installed it doesn't necessarily mean things are 100% okay.
There could be cross-site scripting attacks whereby the user clicks on something evil in a malicious site which attacks that user's HN authenticated session by installing some malicious CSS in their profile. The UI could require a confirmation of the account password for updating any security-sensitive properties.
Users could also shoot themselves in the foot with bad CSS. The obvious fix for that is that the profile settings page itself doesn't inject the CSS, or there is a safe variant of its URL which doesn't inject CSS.
1 reply →
I would really like to see this: maybe release a "submit CSS blob" feature first and then, in a couple months, have a competition to pick the best style sheet?
>If someone can define a not-too-complicated set of profile settings which, when filled in to taste, would solve people's dark-mode concerns, I'm all for it
I posted a possible solution in another comment here[0]. You would have to write a separate dark theme, and there would be a single option to select it in the user panel. The data is literally just an integer pointing to an index in a whitelist of css filenames, and any errors would default to displaying the existing stylesheet.
[0]https://news.ycombinator.com/item?id=23198711
I previously customized HN a bit via my own CSS additions, with the Stylus browser extension. Personally I think that's a more feasible route for personalization than an interface for that on the site itself. However, there's a problem that HN's HTML layout doesn't lend itself to CSS work: you end up describing elements in terms of ‘a div two items down from the one embedded in that thing’, instead of just using classes. Sprinkling around some classes might be something to look at, for providing users the ability for customization. This should be pretty safe. I'd also say that the structure could be more semantic—but that may break browser extensions and similar existing customization.
P.S. I hurried to this thread because I noticed that the ‘collapse comment’ links became larger on my phone and I can finally hit them on the first try. Thanks to whoever did that, sincerely! Though personally I'd encourage you/them to make the link three times wider still, to take away even more effort. Dunno if it's much visual noise to others, but at least I don't think it encroaches on other elements.
Btw, another hopefully-not-controversial change that I would make is to have the post text black, not gray. It's a pretty important element, isn't it? So it should have high contrast and be readable.
The post text is light grey to discourage use of text-only posts, rather than links. HN is primarily a discussion forum centred around links to external content, and I think the site owners/maintainers want to keep it that way.
I would love to be able to define my own CSS that simply replaced the site’s settings, not just for dark mode. It would let me make changes that would be extremely useful to me.
For example, I’d hide the “hide” links on the main page. I’m sure some people love that feature, but I’ve only ever used it accidentally (fatfingering on mobile).
I’d add a bunch of additional hiding CSS. I’ve long wanted a “helps-me-respect-my-time” version of HN, where voting buttons, flag links, reply boxes, and reply links are all hidden.
This was, in fact, the original point of css. You're supposed to be able to add your own user-defined styles to "the cascade". Unfortunately modern browsers don't really implement this right and you're stuck using weird 3rd party plugins to accomplish this.
I think background color and text color options with inverted voting arrows (as suggested elsewhere in this thread[0]) would be enough for most people.
What.cd used to let you put a url in your settings that was injected as the stylesheet while you were logged in. This approach would let people publish and share themes--though shared themes could be a (pretty visible) security concern.
I remember also running into issues trying to use non-https-served stylesheets since the site was https and browsers balked.
[0] https://news.ycombinator.com/item?id=23199725