25 comments

  • Matthias1 10 days ago
    This really caught my eye.

    I wrote a website almost exactly like this for myself. I've been using it for over a year. https://thoughts.learnerpages.com

    Something about posting publicly, but not having any public interaction mechanism is super cathartic for me.

    (I haven't signed up for thoughts.page, I'll probably write a comparison at some point, since I'm opinionated about this type of site.)

    • tinyprojects 10 days ago
      I'm a big fan of these tiny minimal websites. I've built something similar lets your create an online blog from your paper journal. I use it daily to write down my thoughts and I'm weirdly very consistent with writing knowing others are reading my stuff. Wondering if OP has noticed the same thing.

      https://paperwebsite.com

      • iechoz6H 10 days ago
        And your "Most Popular" user type signs up for the GBP10/month account rather than the Free account?
        • selykg 10 days ago
          Pricing seems high, but it does grant them a custom domain option so it's not a shocker someone would sign up to get that feature.
        • rodolphoarruda 10 days ago
          This is really nice. I have always thought that the simplest way to publish a note was just throw a txt file into a folder that is synced to a website. I actually do that with keybase.io; now, this photo-to-publish idea is nice. Almost frictionless.
        • mthld 10 days ago
          I really love the pricing model, refreshing:

          > thoughts.page is free for anyone who makes less than $40,000 USD/year, and costs $5/month otherwise.

          • AgentME 10 days ago
            It's a shame because its pricing structure works like how many people misunderstand taxes to work. If you earn $39,990/year and then get a $30/year raise, then you'll actually be set back to $39,960/year after you pay the new price for this service. You might have to awkwardly explain to your boss that you don't want that $0.015/hour raise. If instead the service worked like taxes by charging a percent of the money you make over $40k (and then limiting the value up to $5), then the price trap issue would be solved.

            (This suggestion is a joke, I just have the issues of welfare traps and popular misunderstandings of taxes on my mind.)

            • eCa 10 days ago
              From the pricing page:

              it obviously isn't perfect — there are people making more than $40,000/year for whom $5/month is an undue burden, and there are people making less than $40,000/year who can easily afford $5/month. but it's not like i'm checking, it's basically pay-what-you-want with $40,000 as a suggested cutoff for paying.

              • gnulinux 10 days ago
                This is very reasonable. I wish all small software shops acted like this. Reminds me of REAPER program which also has a reasonable pricing model like this giving you unlimited time to try and buy it once it's useful to you.
                • askonomm 9 days ago
                  If there was an option to pay or not pay, most people would probably opt to not pay, and you as a software developer or shop probably want to pay bills, so wishing that all shops acted like this is not logical to me at all.
                  • gnulinux 9 days ago
                    What you're missing is convenience is a very valuable feature. This is exactly why I decided to give my $60 to the aforementioned program.
            • pattle 10 days ago
              Yeah it's an interesting model. I'm guessing it works on an honour system as income isn't easily verifiable
              • qsort 10 days ago
                It's basically 'pay what you want' with a super weird cutoff based on post-tax income.

                I need to lose $4 by the end of the year! /s

                • londons_explore 10 days ago
                  In Norway, everyone's income is public information.

                  Other countries could do the same to make things more transparent.

                  • Smithalicious 10 days ago
                    It's funny seeing different attitudes on that. I live in the Netherlands, so really not far away, and income is very private, almost taboo information here - something you'd only discuss with your best friends, if that. People would be horrified to have their income be public information!

                    (please don't use my comment as a soapbox to start a labor rights debate)

                    • karencarits 10 days ago
                      It used to be public; the news papers had databases where you could look up individuals or list by location/birthyear/gender. Some even made maps, but they were a bit unpopular as it was suspected to be used by criminals. But knowing what politicians earned was nice and important, and news papers still report on "people of public interest"

                      Today, you have to login online and the person you look up can see your name in the log

                      • BelenusMordred 10 days ago
                        > Today, you have to login online and the person you look up can see your name in the log

                        I really don't see a problem with that and would still consider it public information.

                        • karencarits 10 days ago
                          I agree, I expressed myself poorly: it is less available today than it used to; for example, I think it would be much more difficult for foreigners to gain access today. And there is a limit of 500 searches per month

                          So - there has been changes that resulted in less transparency or better privacy, depending on point of view

                      • daqhris 9 days ago
                        That is very interesting. It seems to me that the Norwegian society treats personal wealth information like what could happen with cryptos and blockchains.

                        Makes me want to dig deeper and understand the WHYs and HOWs it's been accomplished.

                        As someone born in a war-torn country, interpersonal trust is very hardly imaginable outside blood-linked relatives. Overall, in such a society there is a high degree of mistrust between individuals from different social classes or regions. Publicly displaying resources like yearly income is the last thing that would come to anyone's mind. As an adult, I have no concrete idea how much a sibling/parent makes per month. We've become so used to being vague while uncomfortably sharing our earnings.

                        A place like Norway seems like utopia to me. Does the government intervene by sharing citizen's reported income? Who gets to verify, record and archive such info? Is there a kind of punishment for liars/cheaters/abusers? Is the disclosure of personal income a strict legal obligation or a non-binding local tradition? I'm fairly puzzled.

                        • zohch 10 days ago
                          > In Norway, everyone's income is public information.

                          > Other countries could do the same to make things more transparent.

                          What verifiable tangible benefits does this have?

                          • ArgyleSound 10 days ago
                            Knowing what people employed in similar roles to you earn helps you bargain for an equivalent salary
                            • zohch 10 days ago
                              In theory, not sure this translates to reality. I don't even have anecdotal evidence that this works. Employed in similar roles does not mean equally valuable to company. I live in Norway and I don't think I would ever tell my employer they need to pay me the same as someone else, I also know there is significant variability for pay in the same role at places I worked (without ever checking public tax records).
                            • WaitWaitWha 9 days ago
                              Kidnappers no longer need to waste time scoping out potential targets.
                              • wombatmobile 10 days ago
                                Traffic fines in Finland are proportional to the offender's income.

                                https://www.irishtimes.com/news/nokia-boss-gets-116-000-spee...

                                Simple, elegant and fair?

                                Mathematically perhaps, but people are people...

                                https://www.automotive-fleet.com/10481/nokia-executive-fined...

                                • zohch 10 days ago
                                  > Traffic fines in Finland are proportional to the offender's income.

                                  Don't need everyone's income to be public information to do that.

                                  • wombatmobile 10 days ago
                                    > Don't need everyone's income to be public information to do that.

                                    It depends if you want speeding fines to be transparent, or secret.

                              • randomlurking 10 days ago
                                Never heard of it, can’t really imagine how that would work out in other countries.

                                Is it a somewhat new regulation? Is it easy to access the information?

                                • PaulIH 10 days ago
                                  It's actually a fairly long tradition, it's only been online for the previous decade or so. I'ts easy to access, it's just that for the last few years, you can also see if someone has checked your taxes and who they are.

                                  https://www.youtube.com/watch?v=1bO8zEaSuWg

                                  • Delk 10 days ago
                                    I think it's a Nordic thing. Tax records (including recorded income) are also public in Finland, and apparently Sweden has something similar. [1]

                                    In case of Finland, the current legislation that makes tax information public was originally introduced in 1999 but I can't remember whether the records were also public (based on some other regulation) prior to that or not. In any case, it's not that recent. The Reuters article says Norway has had public tax information since 1863, but I don't personally know anything more about that.

                                    AFAIK anybody's tax records are basically a phone call away. You can't just google for the information, though. I don't know how it works in Norway. (Edit: but apparently the sibling replies do.)

                                    [1] https://www.reuters.com/article/us-panama-tax-nordics-idUSKC...

                                    • tephra 10 days ago
                                      To give the Swedish story. In general all documents, decisions, etc. handled by a public agency are by default public (i.e you can call/email the agency and ask for them).

                                      So when the tax agency makes a decision on your taxes that becomes public, i.e we can see what taxable income you have. One way this is used is by newspapers to look into the income of politicians (and other famous people..).

                                      The right of public information is taken quite seriously by the courts (and should be taken more seriously by agencies that really like to classify the information as secret, which you then have to go to court to challenge). For example an organisation I'm associated with was able to get the cookie data from the Swedish Chief of Police which the courts determined was public information (although they were allowed to mask some information).

                                    • aldanor 10 days ago
                                    • benbristow 9 days ago
                                      Tbf in Norway everyone would be skint after a few beers regardless of their salary so you're all pretty even (jk, ofc.)
                                  • dinobones 10 days ago
                                    Not very refreshing, considering the 100 total visitors this site will ever receive are likely highly paid folks in the software and technology industry, but it’s a nice gesture at least.
                                  • An0n1m1ty 10 days ago
                                    This site is subject to severe XSS via the post mechanism. Just entering <script>alert(1)</script> works. So be careful when going to links. See https://hacker.thoughts.page for a demo
                                    • wesleyac 10 days ago
                                      Hey! I'm the person who made this — I don't believe there's an actual problem here, since login cookies are set on the top-level domain (and thus are inaccessible to content on subdomains), and are HTTPOnly as well.

                                      I do notice that Stripe sets a tracking cookie (which only happens for people who pay for the service, since I don't load the Stripe JS elsewhere), so you could track pageviews with that or something. That's unfortunate — I'll probably try to move the stripe stuff to a subdomain to avoid it — but I don't see it as a big problem.

                                      The HTTP security model is pretty awful, so there may be something I'm missing, but I did think quite carefully about this, and allowing people to use arbitrary HTML and JS was an intentional choice.

                                      Is there a particular threat model you see here?

                                      • y4mi 10 days ago
                                        Just a heads up, a sister comment already pointed out the biggest "danger", but not what that means for your webapp:

                                        Google will penalize your domain strongly as soon as anyone used your service for malicious content. You might even get blocked entirely if you are particularly unlucky.

                                        That's also the reason why GitHub pages is hosted under github.io instead of GitHub.com for example.

                                        • dharmab 10 days ago
                                          Safe Browsing is a must-consider for anyone hosting user-submitted content.
                                        • psychometry 10 days ago
                                          >allowing people to use arbitrary HTML and JS was an intentional choice

                                          Oh, you'll be reversing this choice VERY quickly if your product gets any traction, I assure you...

                                          • monkeynotes 10 days ago
                                            I don't actually see a problem. It goes against my gut reaction but given the pages that are published are entirely isolated there is no more of a threat than someone publishing whatever they want on another web host. There is no user information to hijack, no cookies, no login buttons, no local storage, no auth etc.

                                            Yes, the pages can publish illegal information, be set up as phishing hubs, but none of that is as a result of JS being executable. Web hosts all have exactly the same risks to deal with, their users can also host anything they wish.

                                            The owner's challenge is with the content they are opening up to hosting, and it will become an overhead to police that. If they decide to add buttons like "report content" then those will be able to be hijacked by the publisher and become useless.

                                            • dharmab 10 days ago
                                              Google will flag the entire domain in Safe Browsing. Unless you are a big company with a legal team, getting off the Safe Browsing flag list is a days or weeks long nightmare.
                                              • psychometry 9 days ago
                                                How are they isolated if you can inject JS that downloads resources from anywhere else? I mean, just to start:

                                                - You have no CSP header that I can see.

                                                - You do expose the server version in the headers, though.

                                                - The site is available at a non-SSL-secured domain.

                                                - There's no X-Frame-Options, X-Permitted-Cross-Domain-Policies, etc.

                                                • monkeynotes 9 days ago
                                                  My point is, the service simply hosts HTML, ostensibly this is the same as any consumer web host. So whatever attack vector you can think of exists on Dreamhost or Godaddy pages, for instance.
                                                  • psychometry 9 days ago
                                                    I understand, but you can't have it both ways: You can either build a minimal Twitter clone that limits user-submitted content and not worry too much about security/abuse, or you can build a web host. The latter entails a comparatively enormous amount of responsibility you don't seem keen to take on.
                                                    • dharmab 9 days ago
                                                      I have worked for companies that offered commercial web host services and it is a massive security undertaking. I'm still not 100% convinced it's possible to offer a profitable, truly secure web host without compromising on feature set.
                                              • edoceo 10 days ago
                                                You become a pastebin of malicious JS.
                                                • junon 10 days ago
                                                  https://nsfw-attack-demo.thoughts.page/

                                                  (not actually NSFW, just there to serve a point)

                                              • TicklishTiger 10 days ago
                                                This is not called XSS.

                                                This is just user generated html on subdomains.

                                                Github does the same on github.io. Everybody can make a theirname.github.io page and alert whatever they like too.

                                                So does Gitlab on yourname.gitlab.io, Wordpress on yourname.wordpress.com etc. It is a common practice.

                                                • y4mi 10 days ago
                                                  Agreed.

                                                  That's only an issue if this is possible for comments. The current behavior is working as intended I'd say.

                                                • _wldu 10 days ago
                                                  Tools such as Zap and Burp Suite are great for web devs who want to learn how to build secure websites. I highly recommend them:

                                                  https://owasp.org/www-project-zap/

                                                  https://portswigger.net/burp

                                                • napolux 10 days ago
                                                  Plus there's no "nofollow" on links, doors opened for spammers!
                                                  • trinovantes 10 days ago
                                                    What's the output for alert(document.domain)?

                                                    https://liveoverflow.com/do-not-use-alert-1-in-xss/

                                                    • An0n1m1ty 9 days ago
                                                      The output is hacker.thoughts.page
                                                    • xenocratus 10 days ago
                                                      Have you reported this to the creator? Their email is in a couple of places.
                                                      • An0n1m1ty 9 days ago
                                                        Yes I have. And as they have noted in one of the comments above, they are currently looking for ways in which this could cause a threat
                                                      • icy 10 days ago
                                                        Oh boy. Didn't think I'd see something like this in $CURRENT_YEAR.
                                                        • nisegami 10 days ago
                                                          I didn't either until I started my current job back in April and found them in a frenzy trying to firstly figure out what XSS is and secondly trying to patch all their systems before the end of the month. Fun times.
                                                      • shantnutiwari 10 days ago
                                                        oh boy! well done for spotting that
                                                    • jmnicolas 10 days ago
                                                      It reminds of a spark file: https://lifehacker.com/defrag-your-brain-with-a-spark-file-5...

                                                      As usual I wouldn't put something so private in someone else computer. I don't even put my supermarket list on the cloud!

                                                      • 0xbkt 10 days ago
                                                        Did anyone else notice the reflow hack(?) using JS on the H1 title as well? As a backend guy, just curious whether this JS-assisted way of responsive Web development is commonplace/best practice, and if this is how it is usually done today.

                                                        I guess it is to keep the title and navbar buttons level on wide screens.

                                                        • jameal 9 days ago
                                                          There's probably a way to achieve something similar (though not exact) with just CSS. Their approach allows those buttons to jut right up against the title no matter how wide it is.

                                                          Personally I would have just hardcoded the breakpoint where that reflow happens and made sure that those buttons can never overlap the main content area. My preference is to avoid relying on JS for layout, whenever possible, for the sake of simplicity.

                                                        • renke1 10 days ago
                                                          Slightly off-topic, but I've noticed that the ToS is based on http://wordpress.com/tos which is licensed under CC. I wonder if it's safe to use and anyone else uses it with "success".
                                                          • scrollaway 10 days ago
                                                            I used it at a previous startup which got up to 1MM ARR. It’s pretty great that it exists.
                                                          • qwerty456127 10 days ago
                                                            I wish there were kind of a Twitter where people would just post their thoughts (even those controversial), there would be no marketing of any kind, no personality and no flame wars. And all the posts would be organized by subjects.
                                                            • rovr138 10 days ago
                                                              A blog?
                                                              • qwerty456127 10 days ago
                                                                A microblog. But without strict length limits. Also without post titles. Without comments, responses and mentions. Without personal branding. Easy to discover together with many others. Easy to subscribe. Quick to read. Controversial thoughts allowed but guarded both against attacks by those who disagree/dislike and against abuse by bots/propaganda/marketing. Monetization/promotion not allowed.
                                                                • jimkleiber 9 days ago
                                                                  Sounds like how blogs used to be (and even how Twitter and others were, too).

                                                                  I wonder if the lack of interaction will just make people try to build workarounds to interact in other ways. For example, AFAIK, early Twitter had people use RT and other techniques to spread and/or reply to tweets even though the platform didn't have those functions itself.

                                                                  How do you imagine this platform would deal with that desire to interact more with each other?

                                                                  • mxuribe 10 days ago
                                                                    I think that can be accomplished with wordpress (or a similar blogging platform)...i suppose it would simply take tweaking the template/site settings to not expose features like comments, post titles, etc. Maybe wordpress might be overkill, but i think what you desire is achievable with an existing blogging platform out there.
                                                                    • qwerty456127 10 days ago
                                                                      But it would still be hard to discover.

                                                                      As a reader I imagine going to a specific website, choosing a topic and immediately seeing a stream of genuine thoughts of many different people on it.

                                                                      As a writer I would rather go to GitHub pages with a tweaked theme. WordPress is a huge overkill with a huge pile of problems.

                                                                      • mxuribe 9 days ago
                                                                        > ...As a reader I imagine going to a specific website, choosing a topic and immediately seeing a stream of genuine thoughts of many different people on it....

                                                                        I see your point. I made an assumption that the separate websites would in fact be separate, and not living under a singular umbrella of discoverable content. What you described is still achievable - either via walled gardens (where content is centralized and more easily discoverable), or through looser connections such as web rings, and even search engines. Also acknowledged that wordpress is total overkill...it was just an example that the tech exists to achieve what is desired. ;-)

                                                              • CorruptedArc 9 days ago
                                                                Here's mine if anyone's interested in seeing how it looks before making one:

                                                                elias.thoughts.page

                                                                Look or don't. It is your free will.

                                                                • jiggunjer 10 days ago
                                                                  is it just me, or is tweeting into the void kinda sad?
                                                                  • bdibs 10 days ago
                                                                    It’s certainly healthier I’d bet.
                                                                    • zohch 10 days ago
                                                                      I dunno, would need data on that. I would think tweeting into the void is more symptomatic.
                                                                    • throwdecro 10 days ago
                                                                      > ...is tweeting into the void kinda sad?

                                                                      No, I think it's brilliant. I think we'd see more interesting writing on the internet if it didn't always start with the goal of acquiring and maintaining an audience.

                                                                      • monkeynotes 10 days ago
                                                                        Really? I don't know many authors who are motivated to write interesting content and then hide it / have zero idea if anyone is reading it.
                                                                        • throwdecro 10 days ago
                                                                          It's not hidden. It's just not connected to an internet-style social network. Interest can still spread through word-of-mouth, even if the platform doesn't provide any tools for audience measurement and management. It's akin to a 'zine from the pre-internet days, except it doesn't cost as much money to distribute.

                                                                          EDIT: A 'zine isn't a perfect analogy, since someone who published it would know how many they printed. A freely copyable newsletter would probably be a stronger analog.

                                                                      • BelenusMordred 10 days ago
                                                                        How do new accounts start on twitter then?
                                                                        • ivanhoe 10 days ago
                                                                          True, and also feels to me kinda egocentric to genuinely not care of any feedback or interaction with the reader, but I know a lot of people like that, so it probably is just us...
                                                                          • keb_ 10 days ago
                                                                            Tweeting is just (micro)blogging. Does every blog without a comments section seem sad to you? That's silly.
                                                                            • numpad0 10 days ago
                                                                              As long as it’s public, someone is going to link it and the community explains how it actually happened and how complete moron of you are, so you’ve got covered.

                                                                              If you’re doing sudo cat | sed -e s/¥n/¥n#¥ / >> /etc/resolv.conf, that’s sad indeed

                                                                              • kilroy123 10 days ago
                                                                                I feel the same.
                                                                                • databased 10 days ago
                                                                                  To me this is similar to journaling.
                                                                                • ramino 10 days ago
                                                                                  > i can appreciate the self loathing of someone who says they work on "merkle trees" instead of blockchain tbh

                                                                                  > like, yeah bro we all get what you're saying but i'm glad you at least realize you should be ashamed of it [1]

                                                                                  Thank god thoughts like these can finally be shared in a better way… cute project but by someone who apparently doesn’t appreciate what other people work on.

                                                                                  [1]: https://wesleyac.thoughts.page/#1631439916

                                                                                • benatkin 10 days ago
                                                                                  This one looks pretty good. I like that they let pages outside of thoughts.page into the webring.

                                                                                  Another nice minimalist one is https://micro.blog/ It has mentions, but "strong community guidelines that are enforced" (from the homepage).

                                                                                  • pigeons 9 days ago
                                                                                    I also like .plan files and finger
                                                                                    • tegiddrone 10 days ago
                                                                                      nice! I've wanted to establish something similar but also the ability to tag thoughts. I have thick binder-clips of post-it notes with a similar function but how do I explore them later beyond timestamp order? Also: voice notes with a similar issue.
                                                                                      • NKosmatos 10 days ago
                                                                                        Nice idea, clean and fast (minimal) page, good overall execution, excellent pricing model (hope it covers their running costs) but I see a small problem with moderation and people abusing this service to post inappropriate material.
                                                                                        • laurent123456 10 days ago
                                                                                          What's the purpose of not capitalising the first letter of each sentence? They really commit to it since even the tos and privacy pages are written like this. In case it's not obvious, it's less readable that way.
                                                                                          • INTPenis 10 days ago
                                                                                            Probably to give the impression of hastily scribbled down thoughts and ideas.
                                                                                          • hwers 10 days ago
                                                                                            A platform where I self-censor my real thoughts for some signaling purpose, neat.
                                                                                            • ancienthope 9 days ago
                                                                                              How would this be different than a Twitter account with replies disabled?
                                                                                              • lol1lol 10 days ago
                                                                                                sorry to crash here, but I've made a version of it before. If people want try and give some feedback: https://logfile.app
                                                                                                • cubeanie 10 days ago
                                                                                                  Doesn't scale properly on mobile (android, chrome), don't know if that's super important though.
                                                                                                  • lol1lol 10 days ago
                                                                                                    Thanks for bringing it up. Will update soon. Is it the editor?
                                                                                                • Chris2048 9 days ago
                                                                                                  • gruellan 10 days ago
                                                                                                    I LOVE THIS! I'm going to use it so much
                                                                                                    • testkitchen 9 days ago
                                                                                                      Why not just write thoughts on notion?
                                                                                                      • swyx 9 days ago
                                                                                                        has this page been hugged to death? cant access it right now.
                                                                                                        • mderazon 9 days ago
                                                                                                          Very nice idea

                                                                                                          RSS support?

                                                                                                          • _hao 10 days ago
                                                                                                            Meh, GitHub pages is free
                                                                                                            • memorable 10 days ago
                                                                                                              True, but GitHub Pages requires more time to set up your website: Create a new GitHub account (If you don't have one already), create a repo for your website, create your website, push that website to your repo, and then even that, you still have to set up your website for blogging, which is going to take you from a few minutes to a few days depends on what you use to create the website and how lazy you are.