The creator of this (Chee Aun) is quite prolific and creative with their work (https://cheeaun.com/projects/).

They created https://cheeaun.life, a timeline of their life, more than 10 years ago (which looks to be kept up to date), which was my inspiration for markwhen (https://markwhen.com).

His transport maps, like https://busrouter.sg, were a great inspiration for me.

Hello all, creator here. Some of you might know me as creator of HackerWeb.

Happy to answer questions and hear feedback.

Thanks for your work, it's very inspiring to see what one person can achieve on their own, compared to inefficient whole teams that cost 2 million euros to a public agency for a basic transport map.

Something I really like about Mastodon in general is that every instance by default serves open CORS headers:

    access-control-allow-origin: *
    access-control-allow-methods: POST, PUT, DELETE, GET, PATCH, OPTIONS
    access-control-expose-headers: Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id
    access-control-max-age: 7200

This has lead to a delightful variety of custom clients like https://phanpy.social/ - https://elk.zone/ is another example that I really like.

It's the complete opposite of the Twitter API situation, where they locked their API down and killed the entire ecosystem of third-party clients.

It's an interesting feature, but remember that CORS exists for a reason; this can also lead to a delightful variety of custom CSRF attacks etc. ;)

Can it though?

I've been trying to figure out some security problems that are a result of this CORS policy - as I'm considering it for my own application - and I can't figure out how an attack could actually work.

The API I'm working with uses Authorization: Bearer tokens, and only allows incoming requests with a valid API token.

There's more details on what makes it special on its GitHub: https://github.com/cheeaun/phanpy?tab=readme-ov-file#design-...

And relevant recent discussion: https://news.ycombinator.com/item?id=40009148

It's pretty good - mostly become my daily driver for my Akkoma instance (and occasional use of GotoSocial accounts.) Doesn't understand posting the Markdown content type which means I have to keep Mangane around for now. Occasionally loses connection to the backend but I'm putting that down to Apple Private Relay shenanigans (which causes other weirdness for me and Safari.)

Phanpy, eh? I like the clean design. Feed, and nothing else.

Narrator: "Meanwhile, in Japan..."

red laser lights up in Nintendo IP lawyer's eye

…and I maintain a whole list of them :D https://cheeaun.github.io/repokemon/

One of my favorite Pokemon! Awesome logo, too.

I'm sold.

Minimal graphically, perhaps; the homepage alone downloaded and executed 96 separate JavaScript files.

It does look pretty though.

Those files are ES modules served (at least to my Firefox) over HTTP/3 with unique filenames and a max-age=604800 cache header, so I don't think that's any less efficient than if they were served as a single bundle.

This means that if any of those individual files are updated in the future just that file will need to be re-fetched, with all of the others staying served from cache. A single bundle would need to be fetched in its entirety on any change.

Informative, thanks!

That makes no sense at all. Having written a Python client, I can confidently state it's completely wrong.

Yes, this is the type of blinders on thinking that activitypub users sometimes have. Take them off and look at a real minimalistic protocol like webmention https://www.w3.org/TR/webmention/ https://indieweb.org/Webmention . It is possible to send and receive without any complex application at all.

Also, it's weird that you say I'm "completely wrong" given the uncontroversial single claim I made about the cryptographic signing being what makes it complex. Since you wrote a client you have to know this is true even if you disagree with the 'complex' bit. Unless you just used a module that did it for you? https://imgs.xkcd.com/comics/python.png

I use Phanpy. It is well designed.

Is it ActivityPub protocol and can this be used for Threads?

No, it uses Mastodon's API. Can't log in with Threads, but you can follow some Threads account from Mastodon; "Known Limitations" section here https://www.augment.ink/threads-on-mastodon/

I had tried several mastodon clients, and eventually landed on Phanpy. It works really great, even as a webapp on iOS.

Thought it would be written in python with the name, but it's purely JavaScript.

Phanpy is an elephant Pokémon,

it doesn't show instance names (or usernames if they match the friendly name), it doesn't show threads out of order, it collapses hashtags and makes them less dark, it hides all the interaction buttons unless you click through to the post itself...

This is all pretty minimal, and it's opinionated because it both doesn't look or feel like "social" media, it looks more like an RSS feed or something; and it goes against the design decisions of federation (that full instance names should be displayed, for instance).

Everything that is hidden when large numbers of posts are displayed appears when a single post is focused on. Raw Mastodon will show a hundred different notifications for the same post. Phanpy groups them. If this goes against "the original design decisions of federation" then those decisions are broken. Less clutter and a more compact feed improves usability.

Some, but not just Discord. It's a mix of all the good parts from many apps.