this post was submitted on 09 Apr 2024
36 points (87.5% liked)

Programming

17313 readers
102 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
top 9 comments
sorted by: hot top controversial new old
[–] [email protected] 12 points 7 months ago

Saving this for when people try to claim that naming things isn't important!

Also that is clearly a security issue. Anyone who tries to claim otherwise is forgetting that humans exist. Though I suspect they were just trying to avoid admitting fault and doing work. Disappointing either way.

[–] [email protected] 6 points 7 months ago (1 children)

My takeaway from this is to use CSP to minimize your reliance on others doing things intelligently. And that Datadog is not doing things intelligently at the inconvenience of their consumers.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[–] [email protected] 4 points 7 months ago (1 children)

Unfortunately, retrofitting CSP on an existing site can be nightmare, especially if you have external dependencies. At my job, we spent months trying to enable CSP on one our oldest sites, but ultimately gave up because one of our dependencies won't work unless we added "unsafe-inline" everywhere, which kinda defeats the whole point of CSP.

[–] [email protected] 2 points 7 months ago

Having something is better than nothing! In our case, having connect-src enabled would have avoided the incident.

[–] [email protected] 4 points 7 months ago

I can't find the adjective to use for datadog's documentation, but I wouldn't call it good. It seems like it's written by different teams but every team writes everybody's documentation. There's no section just for a single team and nothing feels coordinated.

Anti Commercial AI thingyCC BY-NC-SA 4.0

[–] bigredgiraffe 2 points 7 months ago* (last edited 7 months ago) (1 children)

I mean sure but that’s a lot of words to say “I didn’t read the directions and no one caught it in a merge request review because no one else read the directions either.”

Their documentation and examples are pretty easy to read and the site parameter is explained in the getting started guide and even linked from the readme for the JavaScript sdk, and in lots of sample configurations so I’m not sure how this made it into a release and then no one noticed the missing metrics for eleven days, sounds like lots of issues in that shop.

The behavior of the sdk isn’t great but the proposed solution wouldn’t work because you can use custom endpoints for all of the components using endpoints on domains you own anyway.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago) (1 children)

Not sure what you're referring to by "custom endpoints" - if you are a normal Datadog RUM user you can only ever send data to one of the several "sites". There's nothing customizable.

[–] bigredgiraffe 1 points 7 months ago (1 children)

That is what I’m saying, that SDK covers more than just normal users.

[–] [email protected] 3 points 7 months ago

So what part of the proposed solutions "wouldn't work"?