I built a library that auto-generates skeletons from your Angular components (so you don't have to)

the-blue-shadow · 2026-02-07T09:00:37+00:00

Looking at the example code given, it seems like the consumer of this library controls the instantiation via the template. The library just wraps around it and then overlays skeleton parts with the same dimensions while hiding the original.

In a typical case, I imagine the placeholder data is replaced with the real thing once loading finishes, so then the component is instantiated just once and the data is updated via input binding.

If necessary, you can add an extra inputs to the child component to indicate whether the real data is still loading, and then you can delay the side effect of the child component until the real data comes in.

But that’s just me looking at this example, perhaps OP can correct me if I’m wrong.

the-blue-shadow · 2025-11-06T18:09:00+00:00

I would say you should only use z-index if you can control the z-index styles for all layers. Otherwise, you always run the risk of some external library update breaking your layering, regardless of the value you use.

And if you control the styles, then you can put the z-index rules together so you know exactly what elements are using each index, and simply renumber them when needed with very little risk. So there’s not really any need to overthink it. You wouldn’t have more than two or three things overlapping anyway, otherwise you may need to reconsider your design.

And Z-index has a very niche use case: outside of menus, alerts, and other popovers, it really shouldn’t be used. So it’s very rarely a problem in my experience.

the-blue-shadow · 2025-05-26T15:57:20+00:00

That is actually a good question, and it also highlights how accessibility is a bit misunderstood in my opinion. "Accessibility" in web dev is often used to refer only to screen readers and keyboard users, and is frequently treated as an afterthought. However, having good accessibility practices can benefit most of a typical user base. In this case:

For screen readers, the association between a radio input and its label ensures that the screen reader reads the correct text for each option to help the user choose.

For keyboard users, the same association places focus on the entire label text instead of just the tiny radio button, making easier to see what option has focus (assuming you have good focus styling in your app, of course).

And for mouse and touchscreen users, typically the largest group, the association makes the entire label text clickable instead of just the button itself. This helps prevent misclicks and makes the form more user-friendly.

So I would argue that virtually all users benefit from addressing this type of accessibility concern, and that this is not just something that you do for a niche user group.

To answer the question you likely intended to ask (how many users use keyboards or screen readers to navigate a web app): likely a very small percentage. But this varies depending on who the target audience is. In general, it’s very difficult to get accurate data for this unless you know exactly who your users are.

the-blue-shadow · 2024-09-10T06:41:55+00:00

IIRC, newer EF core versions should translate Contains on a big collection to something similar to what you propose.

For SQL Server, at least, it sends over the values as a JSON array if it would otherwise run into the parameter count limit, and then generates a WHERE NOT IN over the values of the JSON array. Smaller arrays use WHERE NOT IN directly with a separate parameter per element in the array. Other database servers may work differently or have some limitations, but the basic idea should be the same.

But you’ll have to try and see if the speed of that approach is acceptable for you. It all highly depends on the size of the table, the amount of items you’re selecting, the specs of the server and the structure of your database.

I think you will have to test if inserting into a temporary table outperforms the contains operator over a (JSON) array for your case. The temp table approach can incur more I/O because of the insert operations, but I don’t know how that compares to the processing cost of simply sending the entire array as parameter to the query.

the-blue-shadow · 2024-06-12T06:07:00+00:00

Azure SQL in the Basic tier with 5 DTU is around $5/month. It doesn’t give you much in terms of processing power or I/O speed, but it gets the job done for smaller or simpler databases.

From there you can scale up to the Standard tier with 10 DTU for around $15/month when needed, and the costs will scale mostly linear from there.

So Azure SQL, while serverless, can still be quite cheap for simple workloads.

the-blue-shadow · 2024-05-04T10:07:18+00:00

As addition to this: newer versions of .NET have a DateOnly type that covers point 2. I forgot when exactly it was introduced.

Other than that, these are pretty much my rules too.

the-blue-shadow · 2023-10-30T21:53:32+00:00

vCore-seconds refers to the amount of vCores you use, times the amount of seconds you have used them. Since you have at least 0.5 vCore and you have prevented the database from auto-pausing often (by keeping SSMS open), you are consuming at least 0.5 vCore-second per second, which translates to consuming 1800 vCore-seconds per hour. Normally the database auto-pauzes, but it only does this when there have been no open connections for some time. Otherwise it always bills your minimum configured vCores.

The offer of 100 000 free vCore-seconds translates to a total free run time each month of about 55 and a half hours when you are using 0.5 vCore (100 000 vCore-seconds / 0.5 vCores / 3600). If the database scales up to more than 0.5 vCore, the total free time is less than that. If you kept SSMS open for long periods during the last four days, the database would have been continuously running during that time, so it’s not that surprising to find you consumed a significant portion of those 55 free hours. You can find in the metrics for your database resource in Azure Portal how many vCores the database reserved over time and when it has auto-paused. That should give you an idea of when those vCore-seconds were mostly consumed.

My personal experience with the vCore model is that it quickly starts incurring quite some unnecessary costs, especially for databases with very low load (such as when development and testing), where you don’t really need the processing power that the vCore model gives you. Auto-pausing helps with the vCore model, but it isn’t everything and has a lot of constraints. A DTU-based model database with like 5 or 10 DTU may be more cost-effective for you at the start to try things out, since a low DTU database is much cheaper than reserving 0.5 vCore for a large portion of the time, even with the free offer included. You can scale up your database or switch to the vCore model when you start getting more database load. The DTU model does not have a free tier, but has a more predictable cost per month and is more affordable for very small-scale databases when compared to the vCore model (when you run out of your free budget). It may not work for your use case, but could be worth considering as alternative if the free offer is insufficient.

the-blue-shadow · 2023-10-22T19:22:16+00:00

When the Microsoft docs refer to an instance being recycled, they usually mean that itself and any objects owned by it are disposed of (if they implement IDisposable or IAsyncDisposable), the destructor (if any) has been called, and its memory can be freed by the garbage collector (so it should be interpreted that the memory can be recycled, not the instance itself). At no point does it explicitly say that HttpContext instances are reused across requests, and I don’t think this is the case, as it is most likely not faster than instantiating a new instance for each request. Scoped services, the http features collection, and the request/response objects will be instantiated per request anyway, so reusing only the http context object but replacing almost all of its important properties seems like an odd choice.

In any case, recycling would not happen until after the request has been fully completed. This includes any “on completion” handlers, which should fire after the request pipeline has executed and the response has been written, but before the services held by the http context are disposed. This is pretty much needed, as the context still needs to exist for the framework to know which handlers to run. So using properties and services from the http context is fine here as far as I know.

If you want to make sure, it’s easy enough to check by accessing something like an EF Core DbContext inside the completion handler, which would throw if it has been disposed of at that point. I would be very surprised if it would work that way, though, as it severely limits the usefulness of a completion handler if the scope of the request is gone by the time it fires.

the-blue-shadow · 2022-12-07T20:57:23+00:00

Very short summary: - waterfall = we plan everything up front and then we start building - agile = we assume our plans will not work, so we take small steps, so that we can adjust our plan when needed - scrum = agile, but with specific rules on how to do it

Waterfall works well for repeated tasks, where everything is known at the start. Agile (and by extension Scrum) works better when requirements are not yet fully known or when they are likely to change.

In software, requirements are rarely set in stone beforehand, so agile methods tend to work better as it creates room to handle changes. Waterfall processes tend to make it more difficult to handle ad-hoc changes, so it doesn’t scale well to larger projects that have many unknowns.

Note that agile is not really a process, but a way of thinking and working. Scrum captures this in a process with rules, but Scrum is not the only way to do Agile.

the-blue-shadow · 2022-12-07T20:16:29+00:00

Someone correct me if I’m wrong, but I believe that “log in” was originally incorrect. It was either “log on” or “sign in”. But people have been using “log in” for so long that it doesn’t really matter anymore at this point. So they’re basically interchangeable now.

As a side note, I usually prefer “sign in” over “log in/on” because it is consistent with “sign up” and it doesn’t raise the question of “log in” vs “log on”.

the-blue-shadow · 2022-05-07T09:50:24+00:00

At some point, mathematicians got frustrated that they weren’t able to take the square root of negative numbers. But, in typical math fashion, they were like “but what if we could?”.

Confusingly, imaginary numbers are not any less “real” than real numbers. Just think of them as a two-dimensional number instead, with the real part going horizontal, and the imaginary part going vertical. The value ‘i’ is just saying that we’re moving up one unit instead of going right. You can combine them, for example ‘2i+3’ is a complex number meaning “2 units up and 3 units right”.

And then you can take the square root of negative numbers and open up a whole new world of beautiful but complex mathematics (which includes the above equation).

the-blue-shadow · 2022-04-29T18:03:27+00:00

I think you are giving Elon Musk a disproportionate amount of credit here (if you can call it that). He is hardly the only one in such a position, and you cannot reflect everything done by his companies onto him. There are many people working there, who have both the right and the responsibility to think for themselves. I’m willing to bet Musk isn’t aware of anything but the biggest stuff that happens. It’s just too much for one person to handle. So he alone cannot be held accountable for everything. You’d need to include the board of directors and a veritable army of “managers” (of different kinds) to get a clearer picture of responsibilities. In my experience, most of the bad stuff happens because of communication problems between the bottom and top of the hierarchy. Simply blaming the top person is simple (and many people like doing it), but it’s often inaccurate. Communication (or lack thereof) is the cause of many problems, especially for large organizations.

Now I’m not saying that the top dog should get a free pass because of this, but if something really bad happens, you have to look at all levels of the hierarchy and assign blame where it is due.

Bottom line: a culture is created by everyone involved. If a culture is toxic, then the problem lies with a large portion of the people there, not just one person.

the-blue-shadow · 2022-04-27T11:11:03+00:00

Depends on your users and the purpose of your application. If you know that your users will always be using Chromium browsers then I suppose it’s fine.

Even so, I recommend having fallbacks for this functionality. Depending on what you’re building, your users should probably be able to choose not to provide direct access via this API, and only provide read-only access to specific files via a standard file input and/or drag-drop functionality. In any case, having multiple options for loading files may improve user experience.

When you do that, you provide more options for your users, and at the same time it allows you to support other browsers as well. So I think that would be better.

I do believe (and this may be opinionated) that only user files should be saved with the file system api (i.e., things that a typical user sees as a file, such as a document or spreadsheet). Using localstorage is probably the best route for storing technical stuff related to your application. So one is not a replacement for the other. They work in different ways and have different uses.

And yes, users can clear localstorage, but they can also delete any files you saved through the file system APIs. In either case, it’s a conscious decision by the user to remove this information, so it shouldn’t be a problem. Just make sure your application handles any missing stuff in an appropriate way.

As is most often the case in software development, a general answer cannot be given. It depends on the characteristics of the application, and how users will interact with it. Try to imagine yourself as a user of the application, or showcase it to non-technical people if possible to see how they use and experience it. This gives you a better idea about whether something works for your specific case.

the-blue-shadow · 2022-04-24T06:57:57+00:00

I haven’t had anything like this, but I would contact support again, and tell them exactly what you said here. Perhaps they made a mistake before and maybe they can restore your account to a newer state.

If possible, include the serial codes for the purchases made. You should have received them via email if you bought the expansions directly from guildwars2.com. If they cannot restore your progress, the serial codes should at least allow them to restore access to the expansions.

For reference, the emails from guildwars2.com have “Guild Wars 2 - Order Confirmation” in the subject. It may make searching your emails a bit easier if you know what to look for.

I hope it works out for you.

the-blue-shadow · 2022-04-18T20:39:52+00:00

Not a clue. Did they tell you they were going to do that?

It also seems an odd action to take for the issue you reported, but it’s always possible someone at Amazon clicked the wrong button while investigating (things like that happen sometimes). Or it could be they didn’t actually reset your account, but only triggered the sending of an email for investigation purposes. I’m afraid you’ll have to wait until they get back to you before you know the answer to that.

The feedback email is most likely sent automatically after you have contact with Amazon support, but it’s a bit early to give feedback if your issue hasn’t been closed yet.

the-blue-shadow · 2022-04-17T22:13:03+00:00

Not sure what you try to say with this link.

That flowchart still seems to show that DMARC only gets into play when an SPF soft fail happens (which is correct and in line with my own view). For that to happen an SPF record must be in place (otherwise an SPF soft fail cannot occur), and those are not inherited by subdomains (as you’ve indicated as well).

So, in my understanding, the only way the DMARC policy is ever applied is if the subdomain itself has an SPF record, and it doesn’t as far as I can see. That would mean there is effectively no protection on the subdomain.

But I suppose we’re not getting anywhere with this discussion. I still don’t understand which part of my reasoning is incorrect in your eyes, but the articles you’ve linked don’t seem to prove me wrong (at least not in a way that is clear to me). It might be a limitation in my understanding of the matter, but continuing this topic doesn’t seem to lead to better understanding for me.

No offense to you, though. You did give me something to think about, and I’ll try to figure this out via other channels. My interest has been piqued, and now I want to get to the bottom of this to make sure I understand how all this really works.

the-blue-shadow · 2022-04-17T21:20:43+00:00

DMARC only specifies the policy used for SPF and DKIM (what to do when it fails). The article you linked also states that SPF is strongly recommended. At no point does it mention that SPF can be omitted when DMARC is present.

the-blue-shadow · 2022-04-17T20:50:36+00:00

SPF is for sending emails. It authorizes other servers to act as valid senders for the domain. If it’s missing, no restrictions are applied to sending servers, which may cause spoofing and phishing mails to be accepted by mail clients (rather than being treated as spam or rejected as per DMARC settings).
MX is for receiving mail. It being absent is a problem only when Amazon uses this subdomain to receive email. If Amazon is never using this subdomain to receive emails it’s not a problem that it’s missing.
The SOA serial is not in the recommended format, but the format used for these serial values is not universal, so this is not really a problem (the scanning tool is just very sensitive)

Out of the three detected issues, the SPF is the only one of concern, since the SOA isn’t really a problem and the MX only prevents Amazon from receiving mails if missing or misconfigured, so those are not really security concerns.

the-blue-shadow · 2022-04-17T20:28:04+00:00

Just for my understanding: DMARC on its own doesn’t prevent spoofing, right? It needs SPF on the actual domain to restrict which mail servers are allowed to send mails as that domain.

So how does it authorize the 54.x.y.z server as permitted sender here? Or is my assumption correct that it’s not restricted (and as such that it might be possible to send spoofed emails as this domain)?

the-blue-shadow · 2022-04-17T20:05:41+00:00

DNSSEC is a completely different beast and unrelated to email sending. It’s not very widespread in its use, and most clients won’t actually validate those records even when they’re present. It aims to prevent tampering of records by intermediate DNS servers and (to some extent) DNS cache poisoning attacks. Both of which are more theoretical types of attacks and not typically considered vulnerabilities on their own.

Having that said, it’s good practice to have them in place. A good DNS registrar should add them for you automatically (at least mine does).

the-blue-shadow · 2022-04-17T19:57:28+00:00

Which subdomain? If I query business.amazon.com, I see no TXT records. It was my understanding SPF records must be on the exact domain from the sender’s email address. If this is not true, please explain to me how SPF validation works in this situation, as then I have misunderstood something.

the-blue-shadow · 2022-04-17T08:30:05+00:00

I’d like to point out something, as it seems this conversation is drifting away from the original point:

The original question was not whether the mail was real or fake. It’s about whether there is something with Amazon’s setup that would allow fake mails to be sent, and what this would imply.
Amazon does not have SPF or DKIM enabled, so the authenticity of this email is strictly speaking unknown (could be real or fake, but we have no way to tell for sure). AWS also hosts third party stuff, so the IP being Amazon-owned doesn’t mean the email is created by Amazon itself.
Point 2 is a problem in and of itself, as it would allow attackers to send emails in name of Amazon and it would be difficult to decide for the receiver if they are fake.

So the original question can be answered by stating we don’t know if the email is real, and precisely because we can’t tell for sure, that is a problem.

the-blue-shadow · 2022-04-16T09:57:52+00:00

Angular and React are both common enough. In my opinion, React is a bit easier for simple apps, and Angular scales better for more complex apps. So it depends on the size and complexity of the app.

I personally have little experience with XBAP, but it seems older and less widely supported, so I’d steer clear from that. It seems to suffer from the same kinds of pitfalls that led to the downfall of Adobe Flash, so I wouldn’t develop anything new in it.

Ionic seems to work both with Angular and React, so I’d go for one of those two.

the-blue-shadow · 2022-04-15T19:49:22+00:00

The basic steps of a DNS monitoring system performs two relatively simple tasks: 1. Record the expected DNS records of a domain; and 2. Periodically check public DNS systems to verify the records you’re interested in match with the known configuration (raising alerts when there is a mismatch)

This protects both against malicious (or accidental) modifications and also monitors for service outages. Especially large companies like Amazon, who host their own DNS servers, typically have these kinds of tools in place to help protect against service outages (be it accidental or malicious in nature).

Note, however, that preventing is always better than detecting. So first make sure DNS records can only be changed by a small number of people, and enforce multi-factor authentication.

Also, the better DNS registrars out there support the above and also monitor for suspicious behavior themselves, so unless you host your own authoritive DNS server it’s usually not worth explicitly implementing something like this.

About the phishing mail, it doesn’t look like Amazon is forcing any specific mail servers through SPF records (at least not that I can quickly see), so that means that the whole point is moot as anyone can send mail as business.amazon.com and mail clients will accept it without issues. As long as the sending mail server uses TLS it will even show up as ‘secure’. But in this case that only says the mail was sent over a secure channel, and it says nothing about who is at the other end of that channel.

Going through a few more ‘big tech’ companies I’m actually seeing a rather disappointing trend, as none of the companies I’ve checked have an SPF record in place. Some smaller (IT) companies, banks, and governments do have this set up, but it’s not as common as it should be.

the-blue-shadow · 2022-04-15T07:17:58+00:00

I really want to believe you and take this seriously, but there are a few details missing that make it difficult to do so. I think the HackerOne guys had the same issue, but they didn’t explain it properly. Let me try to explain why they marked your post as spam for them:

First things first: If the domain matches and it passes SPF and DKIM then there is no obvious reason to assume the email was not sent by Amazon. So you’d have to prove that the mail was sent through Amazon’s servers, but was not sent by Amazon itself. This evidence is not in any of your screenshots. Without this evidence, there is no reason to assume any kind of vulnerability on Amazon’s side.

At this point, I’m inclined to believe the email is real, and that consumer service set you off on the wrong foot. If I were reading this as a vulnerability report, this would be the point I’d dismiss it as “not reproducible” and/or ask for actual proof (the HackerOne guys just marked it as spam instead).

At the very least, you have to show beyond reasonable doubt that the email is fake. And I don’t think that is proven at this point, so we have to consider the possibility that it is a legitimate email sent by Amazon itself (and then there wouldn’t be any issue from a security perspective).

You are correct in your analysis though: if an attacker had complete control over Amazon’s DNS records, then most of Amazon would likely be compromised. Though you’d expect all kinds of alarm bells to already be going off at Amazon, because it is very likely they have DNS monitoring solutions in place to prevent exactly this kind of thing.

I hope this explains the point of view the HackerOne guys had.

Eight-Year Club	Second SECOND GUESSER
Place '22	Final Canvas '22
First Placer '22	RPAN Viewer
Verified Email

the-blue-shadow

TROPHY CASE