1. 78
    1. 23

      I switched two projects of mine to sourcehut pages (from github pages) not too long ago:

      The second required I update something about the content security policy so I could use an iframe in some cursed way. It was really pleasant to just suggest the change, then add it myself. Contributing to sourcehut can be difficult the first time if you haven’t used an email/patch based flow, but otherwise, it works well for me so far!

      1. 3

        I’ve had a patch or two accepted too with very little issue. It’s really nice when your tools/platform are open to contributions and allow you to read the source to suggest fixes.

        1. 2

          That’s a large part of why I abandoned .NET development altogether for Ruby on Rails back in ~ 2012.

      2. 2

        I love how these sites look!

    2. 14

      Connections from CloudFlare’s reverse proxy are dropped. Do not help one private company expand its control over all internet traffic.

      This is my favorite line of their docs and good on someone for doing it.

      One feature I would really love to see though is adding HTTP headers not in the HTML document (like how Netlify does it) as there are certain things you can’t add the document like X-Frame-Options I think, it can simplify your build phase having features to build in, files are smaller, and you can get a head start on preload/prefetch/preconnect links because the document doesn’t have to first be finished downloading and have its <head> parsed.

      1. 3

        This is my favorite line of their docs and good on someone for doing it.

        I haven’t heard this before. Why is Cloudflare’s reverse proxy bad?

        1. 24

          Cloudflare users are getting man-in-the-middle by cloudflare, for technical reasons.¹ Because they already have ~25% of the internet traffic as customers,² they’re in a unique position to do cross-site tracking without any cookie, or complex fingerprinting techniques. Of course, being able to do something does not mean that they are doing it. But history has proven that when companies and governments are able to do something, they do it.

          Cloudflare also contribute to the reduction of privacy. They maintain a list of IPs of Tor exit nodes. They force Tor users to solve a captcha for every page, or allow users to block the country “Tor” directly.

          ¹. Cloudflare will install captchas on your website during a DDoS, to limit access to legitimate users and weed out bots.
          ². This is my guess-timate

        2. 8

          Cloudflare runs a large part of the internet to “protect” sites from DDoS attacks – but they also host the very same DDoS webshop sites, where you can ruin someone’s business for the price of a cup of coffee. There has been thousands of articles about this.

        3. 5

          Adding, Cloudflare has gone down and we saw a massive chunk of the net just fail because of a single point of failure. There’s also a ton of hCAPTCHA sudokus to solve for Cloudflare for free for the privilege to see the site behind it if you’re using Tor, a VPN service, or just live in a non-Western country. Then, as a result they suggest you use their DNS and browser extension to ‘help’ with the situation to further collect even more data on users.

    3. 7

      FYI, they strip out Google Analytics, which feels a little weird.

      1. 46

        They actually just block all third party content from loading by telling the browser to not load it via content security policy. They do not modify what you upload to the site (afaik).

      2. 33

        It’s the only ethical choice for hosting providers.

      3. 11

        This is also mentioned in the documentation. I guess the target audience are not really using analytics.

    4. 7

      Neat service, but I imagine that the ratio of sourcehut users who don’t already have their own web hosting is a lot lower than it is for github.

      1. 7

        That doesn’t mean it’s useless or that no one is using it…

        I have a few projects on sr.ht but also use sourcehut pages for hosting some things even though I’m totally capable of self-hosting. It’s just really convenient and can be automated nicely with builds.sr.ht.

        1. 2

          As an analogy, you’d say not many will use github pages as well, yet they do. It’s nice to have a site next to a project.

      2. 6

        True but IMO irrelevant - you don’t cater exclusively to the userbase you already have, you cater to the userbase you want to have. Otherwise you can’t grow except, essentially, by accident.

        1. 2

          Yeah, I’m not saying it as a criticism, just an observation.

      3. 4

        I’m a paying sorcehut user. I have a small handful of projects that are still on gitlab because sourcehut lacked this feature. I suppose I’ll set about seeing if those can move to sorcehut in the near future.

        I do also have my own web hosting. But this kind of (push a commit just updates the site) behavior would add enough admin overhead for me that I currently leave it on gitlab for those few projects. I’d rather have those on sourcehut.

      4. 1

        Eh, it’s always convenient to host project pages close to the repo. I use Netlify for my personal site, but various little project pages get on Codeberg Pages.

    5. 4

      I use sourcehut pages for all my projects (also my personal blog). Nothing but great things to say about it.

    6. 1

      Kinda curious the pages aren’t served from Git?

      1. 2

        You can upload the pages from anywhere with either a HTTP request or the hut CLI program. If you want it to be automatically uploaded from your Git repository, you “just” add a build task for it.

    7. 1

      Interesting choice to implement a CSP this way.

      Can someone ELI5 what this means:

      It also disallows forcing links to open in new tabs (target=”_blank”), as this is equivalent to opening a pop-up in the browser security model.

      On my site all external links are target=”_blank”

      1. 22


        Do you think you know better than the user what their browsing flow is?

        We’re far enough in the internet history that all users are familiar with how to open a link in a new tab if they want to. Forcing your choice on everyone in order to farm their attention is just a dark pattern in my opinion.

        1. 19

          We’re far enough in the internet history that all users are familiar with how to open a link in a new tab if they want to.

          Hard disagree with this, I have to deal with users who don’t know what a tab is. Hell I have users who drag links onto their desktop, then drag them back into an email to ‘send’ the link to someone. It generally attaches an html or .desktop file.

          BUT I do agree with you more broadly and I think I’ll disable this behaviour.

        2. 3

          I wish I could enable a browser setting that would automatically cause all external links to open in a new tab, but there’s no such setting. So I’m glad if a site has this as a feature.

          1. 2

            I had the same thought, I am generally not ‘done’ with the original site when I click an external link, but actually I do agree with /u/mariusor that straying from default behaviour maybe isn’t the best way to deal with this.

            I did manage to get something like what you describe using Firefox multi-account containers and temporary containers.

          2. 1

            Have you looked for a browser addon that can help with that? Firefox has one, I bet you can find one for Chrome based browsers also.

          3. 1

            Get a 3-button mouse!

            1. 1

              How do I connect it to my phone?

              1. 1


                1. 1

                  I meant that I don’t have this problem while browsing on my computer (since I can use the middle mouse button), but on my phone, where it requires a long click and tap.

                  1. 1

                    ah yeah. as is usually the case with phone software, I think you’re SOL.

      2. 8

        Check out When to use `target=“blank” because it sounds like you’re unintentionally doing it wrong. The only reason you’d want to do this is you have the type of web application (not web page) that involves users editing content they won’t be able to undo or user-initiated media playback that they probably didn’t intend to stop (definitely doesn’t include ads). Optionally, it could be an opt-in user setting depending.

        1. 6

          Thanks for that, it makes perfect sense and tbh I hadn’t given it much thought. I did it because I like it that way.

          Your answer needs more aggression and snark though, this is way too friendly

          1. 1

            I have a bad habit of it. I’m trying to do that just a little bit less than I usually do. But it’s better for orange site points though.

            METRICS, BABY or similar line rang so true from my stint in an ad agency where I remember trying to argue this article before knowing about this article without having it put together a bit more. I don’t think my managers liked how often I’d push back for users over metrics though.

    8. 1

      Given that sr.ht is a paid service, what happens if you stop paying the subscription? Do the website and content go offline?

      1. 10

        Probably, why wouldn’t it go offline? If you want free hosting then you’d use a free hosted service.

      2. 2

        The good thing is that it doesn’t matter much if you run it on your own domain

    9. -1

      Why would I pay money for this?

      1. 12

        You’d probably primarily pay for the git and build service, not the pages one specifically

      2. 10

        You wouldn’t?

        You pay for the git hosting, and you get this included for free.

      3. 1

        to not be sold otherwise.