iirc Apple music’s web ui also has sourcemaps, but I’m not subbed to apple music anymore to check. Its neat, but not really a huge blunder, nor takedown worthy.
Isn’t that just effectively un-minified? It’s just the client side code in the first place?
Comments and full-length names make the source way more accessible.
Yeah but even then they should be writing secure code anyways so it doesn’t matter if someone reads it. It’s just ui code. It’s always readable
Nah it’s more complete with comments and all. Here’s a link to a random svelte file:
https://github.com/rxliuli/apps.apple.com/blob/main/src/components/pages/SearchResultsPage.svelte
Huh, I hate doing front end but I feel like in this team I’d manage. Shit even has comments.
It’s already down.
This is why you self host a private Gitea instance and have it auto mirror all of your github repos.
I forked it, and my instance automatically grabbed me a forever copy.
Once the code is minified it’s basically unreadable by humans it’s useless this is far more readily available to anybody who may be curious about the work being done
Learning resource yeah.
And now the source code is part of copilot
// these are unicode characters in four hex…If your dev team needs a comment explaining this I have some serious concerns about their qualifications.
Copyrighted content
archived them
on GitHub
Idk man 🧐
Run the countdown to when it’s taken downYep, it’s got a DMCA takedown now
I’m not usually an “I told you so” person, but…
I told them so!
You could argue that since it’s publicly available and this repo only archives it that… I don’t know man Copyright law is confusing.
I think you can get some kind of exemption for archival purposes. I know that the Internet Archive has one. But I also know that ultimately Microsoft is responsible for the data hosted on Github, and Microsoft’s interest is to not even risk getting sued.
There’s lots of content sitting just below the surface on github. Any time you make a PR on a repo, even if it gets closed or “deleted” by the repo owner, the actual link to the file itself stays there forever if you save it. Github’s own dmca repo even has warez links on it, sitting there for years.
Oh that’s cool, I had no idea! Though does that apply to content removed for DMCAs?
Usually entire repos are disabled in that case. I’ve never tried to access hidden content on a DMCA-removed repo, but I assume it would not work.
Incompetent-source!
Who cares. Comments could be interesting but AI can do this pretty well on most JS these days.
My thoughts, exactly: Why is this a big deal? Imagine the positive press it would be if Apple came out and said, “We did that on purpose. More companies should be this open!”
The security impact of this: Zero (clients are already given the code)
The reputational impact: Could be great! Or could be bad if they play this the wrong way.
AI is still shit when it comes to obfuscated code. This is before it’s all been obfuscated and become unreadable.
I’ve tried using AI to handle obfuscated scripts and it makes way too many assumptions as to what the code is trying to achieve.
Security through obscurity is not security. I see no reason why source maps should be unavailable.
Because source maps show how shitty your organization’s code and overall engineering practices are.
Ding ding ding
Open source code is usually quite nice and well done because money pressure is way less of an issue and everyone knows people will be looking at your code
If you look at the casual code that I have shamelessly made public on my GitLab, that might change your mind on that.
That’s probably also why development is usually really slow and most maintainers can’t keep up/give up.
Nope, it is simply because they are overwhelmed. Either it’s too much work to do after your day job or just too much work for one person.
Also what I’ve heard from open-source project maintainers, once a project gets popular, the flood of feature requests is neverending. (Something I’m sure I contributed to over the years 🫣) And especially in cases of feature requests with niche usefulness or mismatching vision, they can sap developer morale.
Payload size
It was mentioned before. Source map is a comment with an URL. It’s not pulled automatically unless the client has devtools and supports that. It doesn’t meaningfully increase the size of the site for normal users.
Eh, true. It does clean up the payload, but I agree it’s marginal.
depends.
if we’re talking about a personal website nobody will care. if you are a multibillion company and there’s the risk that literally anyone can create a 1:1 clone of your services… yeah that’s a bit of a trouble
Omitting source maps doesn’t prevent that.
no it doesn’t, and I am very aware that if anything runs on someone’s computer then it can get replicated. but it gets slightly harder, also to reverse-engineer it or find potential fallacies. as well as source maps on prod are just a waste of bandwidth
Dunno, this “harder” argument while valid sounds just like false security. That’s why I don’t see much weight in it.
As for bandwidth, source maps are not automatically pulled from server, so it also seems like a false issue to me.
No, but it’s a sensible security measure. Anything to make it harder.
That’s the thing, it’s not actually a security measure. Security through obscurity is not security. It can provide false security impression that is more harmful in my opinion.
Having source maps can encourage proper security practices. Which, in my books, very much outweighs any security benefits of hiding them.
SVELTE 🥹 (im very happy to see svelte)
Also I’m scared that this person may be risking their github account by posting this, I dunno if it’s legal to “distribute” apples website code yourself. If not, best hope they dont ban your whole account.
I mean… They kinda distributed it themselves /s
Or even sue them
we love svelte
Yo gimme a repo link, you can’t blueball us like that
Here it is https://github.com/rxliuli/apps.apple.com
Check archive.ph
I’m gonna download this to my iPhone, just in case.
Try and stop me, Tim Apple!
Gotta say, the Tim Apple line is an all timer by the orange guy.
You’re supposed to disable source maps in prod?
Asking for a friend
if you think your source code is that precious and unique and special, go ahead and worry about it haha
Just to save on wasted bandwidth for the client (and your server) is why I would disable them.
they’re different files generally, the only client that will automatically request them is a debugger.
you turn them off because you don’t want to expose your full source code. if you would be ok making your webpage git repo public then making sourcemaps available is fine.
I work for a large software corp and we generally keep them in prod because it makes debugging prod issues much easier. The browser only downloads them when the dev tools are open.
AFAIK, the source maps are only actually requested/downloaded when the user opens the dev tools. There’s no reason to have them automatically download for every visitor. The enable/disable simply toggles whether or not the request is accepted when the user opens the dev tools.
So if my understanding is correct, keeping it enabled wouldn’t really impact server load, unless lots of users are constantly using the dev tools.
Is this interesting for some reason?
It’s sensational news.
It gets the bottom 50% thinking Apple fucked up, and they can now ask ChatGPT to just copy the App Store because that’s all that is holding them back from being a temporarily embarrassed millionaire: Source Maps…
It’s how the web worked before minifiers, so kinda but not really.
You just have comments and original variable/function names.
I’m sure someone will argue this helps scrapers or hackers, but really it’s not that big of a deal.
Anyone capable of doing damage already knows how to format and read minified code anyway. I do it in prod all the time when I want to test something with an override, which causes the source map to become invalid.
It help users that make websites styles!
Eg. I have a discord style for fixing their bullshit
Our international teams kept enabling sourcemaps and I just had devops lock the directory to vpn access only 🤷
I know sourcemaps aren’t the end of the world as it’s all client side code that lives on the clients computer but it just feels dirty
Depending on the exact level of stupidity clinging to the judge on that day, some jurisdictions might consider this “hacking.”
One case from the states that was luckily dismissed: https://uk.pcmag.com/security/136282/missouri-gov-goes-after-reporter-who-found-shockingly-bad-flaw-in-state-website https://www.vice.com/en/article/this-is-the-hacking-investigation-into-journalist-who-clicked-view-source-on-government-website/
Germany for example. There was just the Modern Solutions case and the ruling was that using a hex editor to get hardcoded MySQL passwords from a binary is considered hacking
