Daily Shaarli

All links of one day in a single page.

June 26, 2026

Context-aware headings in HTML - Manuel Matuzovic

headingoffset is a new HTML attribute to increase the upcoming heading levels. It's definitely not there yet https://caniuse.com/?search=headingoffset

How can I style an H3 when there's no H3 tag?
With the selector :heading(3).
But be aware of the browser support: inexistant (https://caniuse.com/mdn-css_selectors_heading)

Billy · Invoice Manager

Privacy, Control, Longevity, Built for Mac, Fun. See details https://usebilly.app/en/features

Plans are 3€ per month, 25€ yearly or 80€ lifetime.

I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID. | bobdahacker

No way it's real: using specific URLs with a NO_ROLE provide access to the dashboard of the FIFA worldcup 2026.

The whole thing boils down to one architectural mistake: client-side authorization with no server-side enforcement.

FIFA's internal applications use Microsoft Entra for authentication and role-based access control. The Angular/React/Vue frontends check the JWT token for role claims and render access-denied pages accordingly. But the backend APIs trust any authenticated tenant member and serve data regardless of roles.

Rules to follow:

  • Get a security.txt file. Seriously. It's 2026.
  • Publish a VDP (Vulnerability Disclosure Policy). You're running the biggest sporting event on earth.
  • Client-side authorization is not authorization. Every intern learns this.
  • When a researcher has to call CISA and the FBI to reach you, something is wrong.
  • Start a bug bounty program. Researchers shouldn't have to call the FBI to do you a favor.
All you need is PostgreSQL

In this post, I’ll walk through a set of common misconceptions that drive teams to introduce new infrastructure when they don’t need to. All of these can be solved with vanilla PostgreSQL 18 using standard extensions available on RDS, with no special infrastructure and no distributed-systems cosplay.

mindfuldesign.xyz/

Mindful Design is the responsible designer’s survival guide. Learn resilient and responsible design practices and own your early stage design — from idea to shipped and beyond.

It's a book and video course, but there is also a toolkit: https://mindfuldesign.xyz/toolkit/intro/

lowercase.name
A Social Filesystem — overreacted

First files are awesome, because the file format is the API to understand the content.

You may create a file in one app, but someone else can read it using another app.

After this introduction, an everything folder for social media is the theory: the folder would include everything you've created across different social apps. In that world, a “Tumblr post” or an “Instagram follow” are social file formats.

Bluesky, Leaflet, Tangled, Semble, and Wisp are some of the new open social apps built this way.

The author then details a typical social media post in JSON format, and how to store them as files. Domain names can be used to split each social media.

Then how to store a like with identity files (and the standard DID).

An example of such architecture is available at https://pdsls.dev/at://did:plc:fpruhuo22xkm5o7ttr2ktxdo

The apps then reacts to the change made in the social filesystem.