Is it poor practice to host multiple web applications on the same domain, in terms of cookies?

In my web application, I have a single API backend and two frontends written as single page applications. To simplify deployment, I’d like to serve the API on /api, the admin dashboard on /admin, and the end user frontend on /user (or something similar), all on the same domain.

I want to use cookies for handling sessions, for both the end-user and admin apps. Is this a good idea? As I understand it, cookie usage is restricted by their domain. Would it make it simpler for an attacker to steal admin-session cookies from someone logged into both frontends? Or, should I use different domains for the admin and user frontends (admin.mydomain.com and user.mydomain.com)?

What are the applications of homotopy type theory to everyday programming?

What are the applications of homotopy type theory to everyday programming?

I know of only two applications, neither of which I understand:

  • "Homotopical Patch Theory"
  • "HoTTSQL: Proving Query Rewrites with Univalent SQL Semantics"

Is there a capsule summary of how HoTT is relevant to these problems?

Is there a general kind of programming problem for which HoTT is suited? Based on the applications so far, is it likely that future applications will all have to do with program efficiency? Or might there be applications to distributed systems, for example?

Higher inductive types strike me as the most obviously "new" thing from a programmer’s point of view. Is there a capsule summary of why programmers might use higher inductive types? Do these applications only have to do with program correctness, or do they also give us the ability to solve problems differently?

I know it’s early days and that we probably don’t know what the applications may be, but it’s also likely that more is known now than several years ago when the articles above were written.

Can malicious applications running inside a docker container still be harmful?

I am very new to docker (and don’t usually program at a ‘systems’ level). I will be working on an open source project with complete strangers over the web over the next couple of months. I trust them, but I like to not have to trust people (meant in the best possible way).

I would like to know, if I download various repositories from github or elsewhere, and run them inside a docker container, is it possible for them to cause harm to my laptop in any way?

In case it’s relevant, the repositories will mostly be web applications (think django, node), and will likely use databases (postgres etc), and otherwise operate as regular locally hosted web applications. It is possible (like anything from github or the world wide web), that some apps could contain malicious code. I am curious to know if running such an app (containing malicious code) inside a docker container prevents that code from harming anything outside of the docker container (i.e. my laptop)?

Tracking domains in installed applications

Many websites have tracking domains in their webpages, which I block using "Privacy Badger" Extension by EFF.

These domains are easily visible by pressing Ctrl+U in Firefox to see the "Page Source".

Also I have observed that many apps(which I download from the Google Play Store) show the content which is exactly similar to the content accessed by any web browser on the related web pages. I guess that those apps are nothing more than a web browser in themselves, accessing the related web pages[I MIGHT BE WRONG].

In the above case(or even in the case where content accessed by apps is aesthetically and/or functionally different than that accessed by a browser) I guess that the tracking domains(which are on the related web pages) are also baked into the apps.

My questions:

  1. Are the tracking domains present in the apps also?
  2. Any way to verify their presence[as was the case with Firefox above]?
  3. How to block them from tracking the user[as Privacy Badger does]?

Note: I am just talking about "simple" tracking methods(domains), not "advanced" ones like fingerprinting, Tracking Pixels etc.

Unrelated applications like games accessing ‘webcache’ related files

As title suggests im wondering if a game ,for example, has any business accessing ‘webcache_counters’.

After attempting to clean my webcachev01 file due to its oddly large filesize given the fact i dont use IE or Microsoft Edge at all, I noticed in processexplorer that alot of my random applications were accessing a file with the suffix ‘webcache_counters’ followed by a string of numbers I’d imagine to be a registry key.

Strange thing about this handle is that i cant view its properties nor close the handle. With the first saying that it is ‘Unable to query’ and the latter saying i lack administrative rights. To clarify I am the sole user and administrator on this machine.

All this is having me increasingly worried, ive been having recent fears of malware on my PC and this has appeared in my rigourous inquiry of my files and processes. How can an innocuous sounding file/handle bar me from even closing it in process explorer?

Applications of Will in Condensed vs. in Core

Some months ago, I noticed a difference between the Core and Condensed editions in the way the Will skill is described. I would like to know whether this is an intentional change between editions (or ‘editions’ – whatever you call the subtle variations in the crunch between the books), or whether all the functions attributed to Will in Core are to still be attributed to it in Condensed; and, if it’s the former, which Skill(s) should take over those functions.

To be more specific, Core’s description of Will includes the following:

You can use Will to pit yourself against obstacles that require mental effort. Puzzles and riddles can fall under this category, as well as any mentally absorbing task, like deciphering a code. Use Will when it’s only a matter of time before you overcome the mental challenge, and Lore if it takes something more than brute mental force to get past it. Many of the obstacles that you go up against with Will might be made part of challenges, to reflect the effort involved.

Contests of Will might reflect particularly challenging games, like chess, or competing in a hard set of exams. In settings where magic or psychic abilities are common, contests of Will are popular occurrences.

In contrast, Condensed’s description of Will doesn’t even hint at anything like that, instead portraying Will is a pretty much exclusively reactive, not proactive, Skill (in fact the only one in the list that is like that):

Will: Mental fortitude, the ability to overcome temptation and to withstand trauma. Will stunts let you ignore mental consequences, withstand the mental agony of strange powers, and hold steady against enemies who provoke you. In addition, a high Will rating gives you more mental stress or consequence slots (page 12).

Spoofed DNS answers ignored by target machine applications

Attacker: Arch Linux

Target: Windows 10

Scenario The attackers launches an ARP spoof attack to redirect all target traffic to the attacker. (This works)

The target sends DNS queries for domain name resolution to the attacker machine. (This works)

The attacker machine listens for this queries and if the query tries to resolve a specific domain (detectportal.firefox.com) sends an spoof DNS answer with the attacker’s ip. For all the other domains the queries are not answered and not even forwarded.

Wireshark on both attacker and target machine confirms the reception of the spoofed dns answers although the applications that triggered the dns resolution seems to ignore this answers and just timeout.

Example on target machine:

ipconfig /flushdns nslookup detectportal.firefox.com DNS request timed out.     timeout was 2 seconds. Server: UnKnown Address: 10.42.0.1  (my gateway ip and the ip being spoofed by the ARP attack)  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds. **** Request to UnKnown timed-out 

Wireshark confirms the DNS spoof answers are correct and correlates them to the queries.

Assumption:

I do not compute the ip header checksum nor the udp checksum, just put some value (i.e. 0xdead, 0xbeef, 0xcafe). Could it be the target machine dropping these packets AFTER wireshark picks them?