A personal post from Andy

by

blog.andytriboletti.com/2025/01/13/coincidences-2/

I assert the gov is spying on me under a branch of the Secret Service. Trump goes along with almost anything SS suggests. Why wouldn’t they just hire me instead of hacking my Pixel 6 phone with Pegasus? These days, just monitoring, I think. I think because I inadvertently predict the future, with the post linked being some PG-rated examples.

Hey Facebook, Mark Zuckerberg, thanks for suing the NSO group for hacking!

How do I get an acknowledgement that my phone was hacked, Pixel 6, and other phones I tried during that time, 2020-2022? And a list of the hacked texts sent.

Please, Please, Please. I want it so bad. They were horrific and threatening texts sent from my phone, which I didn’t write or send.

https://www.washingtonpost.com/technology/2025/05/06/nso-pegasus-whatsapp-damages/

I got $250 from a Google settlement. I wish there was a settlement for people who’ve had Pegasus trojan send texts that weren’t written by me, sent cashapp to a person not authorized by me, and even more annoying stuff. Like interrupting a call to my mom with audio she only heard. Weird death threat involving Thursdays from a voicemail transcription with the voice not saying the death stuff. Sending a bumble message not by me to a bizz connection. Rewriting text sms history. Sending tweets not in my name. Offensive and terrible Facebook posts not written by me. Once on a friend’s page. Rewriting at least 1 instagram comment on someone else’s page. Android keyboard grammar checker messing with posts as I wrote them, perfectly spelled words replaced. While I was sleeping sometimes with this stuff. My Mom will vouch she got a disturbing text while I was asleep. With my Pixel 6 a few years ago. Since Pixel 7 and on, no issues.

I heard Pegasus costs 500K per user!

Do you think people employed by the government/secret service are forced to go to mental institutions to evaluate/pick on people? I assert they do. Can we do anything about it?

Reviewing a code review from CodeRabbit consolidated into a single text file using CodeFrog.app

by

I am reviewing my project’s code warning errors coming from CodeRabbit GitHub review comments in CodeFrog, an app I developed to speed up development and improve software correctness with comprehensive security, accessibility, seo, and more types of testing. It helps to have a single text file containing all issues to quickly scan for problematic issues or incorrect/ambiguous comments that need manual intervention.

CodeFrog generates this file of PR comment AI summaries for you with a few clicks using the GitHub API, pulling from CodeRabbit’s comments on your code. After all complex issues are resolved you can import the simple ones into Cursor by copying and pasting the contents of the file into Cursor or Antigravity or whatever AI coder you use.

View more about CodeFrog, my upcoming developer tool at https://codefrog.app.

Secure Tools for the Web proposal

by

A business idea I had was to build a more secure Mailchimp:

https://blog.greenrobot.com/2025/11/26/mailchimps-security-issues-why-we-need-a-better-newsletter-solution/

What do you think? I thought it’d be cool to make a company around secure tools for the web. Next is a blog, WordPress alt that is secure by default and has an ‘A’ rating from CodeFrog.app mega report on accessibility, security, seo, URL preview, meta tags validation, html validation. My WordPress blog, by default, has a D rating. An opportunity to create something new that doesn’t have the WordPress baggage, because some of the items in the security test (security headers) that are failing are very hard to fix by installing additional plugins and stuff, and I still couldn’t get it to work. Also, accessibility and SEO, and loading times should be fixed by default by generating static files that are correct.

Interested in helping me build this or invest in this? Contact me at andy@greenrobot.com

Flutter macOS dev is fun. Making custom modules for native features that don’t already exist as open source components is the way to go.

by

Having a lot of fun with macos flutter development. I’ve created two modules so far for making macos specific stuff work. One for drag and drop and one for doing native menu state enabling and disabling stuff dependent on what window and screen is active, like sometimes save is greyed out if not viewing a file that can be saved. It ends up being a pretty complicated system and after awhile debugging I decided to make it into a library. Finally got it working. I think AI works better when appropriately using and creating modules instead of a 3k line appdelegate file. Once I get CodeFrog into the Apple store I plan to open source these modules I created so it takes less time for other devs who want to have mac native features in Flutter like drag and drop and dynamic menus.

Do you have a need for a Flutter macOS expert? I’m open to work!

Happy Thanksgiving from Maryland.

Mailchimp’s Security Issues: Why We Need a Better Newsletter Solution

by

A B Rating From CodeFrog

While building CodeFrog’s landing page, we integrated Mailchimp for newsletter signups. However, our security scans revealed a critical issue that prevents us from achieving an A rating: Mailchimp’s validation script violates Content Security Policy (CSP) requirements.

The Security Violation

Mailchimp’s mc-validate.js script injects inline styles dynamically, which requires the 'unsafe-inline' directive in our CSP style-src policy. This is a security anti-pattern because:

  1. CSP Bypass Risk: 'unsafe-inline' allows any inline styles, defeating the purpose of CSP protection against XSS attacks
  2. Nonce Incompatibility: Even when using CSP nonces for our own styles, Mailchimp’s dynamically injected styles can’t use nonces, forcing us to allow all inline styles
  3. Security Rating Impact: Security scanners (like our own Mega Report) flag this as a MEDIUM severity issue, preventing an A rating

The Error

When we removed 'unsafe-inline' to improve security, the browser console shows:

Applying inline style violates the following Content Security Policy directive: 
`style-src 'self' 'nonce-...'`. The action has been blocked.

This error originates from mc-validate.js:164, confirming that Mailchimp’s script requires unsafe inline styles to function.

Why This Matters

Content Security Policy is a critical security feature that helps prevent:

  • Cross-Site Scripting (XSS) attacks
  • Data injection attacks
  • Code injection vulnerabilities

By requiring 'unsafe-inline', Mailchimp forces us to weaken our security posture, which is unacceptable for a security-focused tool like CodeFrog.

What We Need

We’re looking for a newsletter service that:

Free tier (or very affordable) for up to 500 subscribers
CSP-compliant – doesn’t require 'unsafe-inline'
Secure by default – supports nonces or external stylesheets
Easy integration – simple embed or API
Reliable – good deliverability and uptime

Call for Recommendations

We’re reaching out to the developer community for recommendations. If you know of a newsletter service that:

  • Respects modern web security standards
  • Works with strict CSP policies
  • Offers a free tier for small lists
  • Provides good deliverability

Please share your suggestions! We’re particularly interested in:

  • Self-hosted solutions (if they’re easy to set up)
  • Modern alternatives that prioritize security
  • Services that use external stylesheets or support CSP nonces
  • Any workarounds for making Mailchimp CSP-compliant (if they exist)

The Solution: CSP Hash Instead of Unsafe-Inline

Good news! We found a solution that doesn’t require 'unsafe-inline'. When we removed 'unsafe-inline' from our CSP, the browser console error message actually provided the answer:

Applying inline style violates the following Content Security Policy directive: 
'style-src 'self' 'nonce-...''. Either the 'unsafe-inline' keyword, a hash 
('sha256-iIHQ0a6ntSSQhfMwBwjvXvp+zrKJldURld+iiblnEKo='), or a nonce 
('nonce-...') is required to enable inline execution.

The browser helpfully suggested using a hash for the specific inline style instead of allowing all inline styles. This is a much better security approach!

What We Changed

Instead of using 'unsafe-inline' in our CSP style-src directive, we now use:

style-src 'self' 'nonce-{style_nonce}' 'sha256-iIHQ0a6ntSSQhfMwBwjvXvp+zrKJldURld+iiblnEKo='

This hash is specific to the inline style that Mailchimp’s mc-validate.js script injects. By using the hash, we:

Allow only that specific style – not arbitrary inline styles
Maintain strict CSP – no 'unsafe-inline' directive
Pass security scans – scanners don’t flag specific hashes
Keep Mailchimp working – the validation script functions correctly

Why This Is Better

Using a hash is more secure than 'unsafe-inline' because:

  • It’s whitelist-based: Only the exact style with that hash is allowed
  • It’s CSP-compliant: Security scanners accept hashes as a valid, secure approach
  • It’s maintainable: If Mailchimp changes their script, we’ll get a new error with a new hash to add

Remaining Issue

While we’ve solved the CSP style-src issue, there’s still one security concern:

⚠️ SRI (Subresource Integrity) Missing: Mailchimp’s script is loaded from their S3 bucket without an integrity attribute. This means we can’t verify the script hasn’t been tampered with. However, this is a known limitation because:

  • Mailchimp’s script is dynamically generated and changes frequently
  • Their S3 bucket doesn’t send CORS headers, which would be required for SRI
  • Adding crossorigin="anonymous" would break script loading due to CORS issues

This is a MEDIUM severity issue that prevents a perfect A+ rating, but it’s an acceptable trade-off given the constraints.

Conclusion

As a security-focused developer tool, CodeFrog needs to maintain the highest security standards. We’ve successfully resolved the CSP 'unsafe-inline' issue by using a hash-based approach, which is more secure and CSP-compliant.

The remaining SRI issue is a known limitation with third-party scripts that don’t support CORS, and we’ve documented it appropriately. We’re now much closer to that A security rating!

Update: We solved the CSP issue using a hash-based approach! The browser’s error message provided the exact hash we needed. Mailchimp now works with strict CSP without requiring 'unsafe-inline'.

Update by Editor: Reviewing this post I found it said it was maintainable to have a hash value that gets updated if MailChimp changes their scripts. This doesn’t seem very maintainable to me. I have to manually check for errors, or build an automated test that checks and then changes(?) the hash. I would still want to review it I think. I may take off the hash value and reduce the codefrog.app mega report rating since it seems dumb to have to keep it updated. Another option is to build an automated test that does it. Or wait for some ideas from someone else? Maybe there’s a way to use a REST api for Mailchimp which would be better. It would be nicer if it was just secure by default though.

Building Inclusive Web Applications: Accessibility Testing with CodeFrog and axe-core

by

Introduction

Accessibility is not a feature—it’s a fundamental requirement for modern web and mobile applications. Over 1 billion people worldwide live with disabilities, and many rely on assistive technologies to navigate digital products. Beyond the moral imperative, accessible applications reach broader audiences, improve SEO rankings, and help organizations comply with legal standards like WCAG 2.1 and the Americans with Disabilities Act (ADA).

However, accessibility testing remains challenging for many development teams. Manual testing is time-consuming and error-prone, while developers often lack the expertise to identify subtle accessibility violations. This is where automated testing tools become invaluable.

The Challenge: Common Accessibility Issues

Developers frequently encounter accessibility barriers that go unnoticed during standard testing:

  • Missing alt text on images, leaving screen reader users without context
  • Insufficient color contrast making content unreadable for users with low vision
  • Unlabeled form fields confusing users relying on screen readers
  • Broken heading hierarchy disrupting document structure and navigation
  • Missing ARIA attributes preventing assistive technologies from understanding dynamic content
  • Keyboard navigation failures excluding users who cannot use a mouse
  • Missing focus indicators making it impossible to track keyboard position

These issues compound, creating frustrating experiences for users with disabilities while exposing organizations to legal liability.

CodeFrog’s Solution: Automated Accessibility Testing

CodeFrog integrates axe-core, the industry-leading automated accessibility testing engine, directly into your development workflow. This powerful integration enables developers to catch accessibility violations early—during development, not after deployment.

With CodeFrog’s Web Testing feature, you can:

  1. Test multiple sources: Select a local HTML file, enter a URL (localhost, staging, or production), or test a remote server
  2. Test entire sites through sitemap testing: Provide a sitemap URL to automatically test all pages across your entire website, ensuring comprehensive accessibility coverage
  3. Run automated accessibility scans powered by axe-core
  4. View detailed violation reports with severity levels and remediation guidance
  5. Iterate quickly with instant feedback on accessibility improvements

Whether you’re testing a development server running on localhost:3000, a staging environment, a production URL, or an entire site via sitemap, CodeFrog brings accessibility testing directly into your workflow.

What axe-core Detects

axe-core performs comprehensive automated testing across multiple accessibility standards:

Image and Media

  • Missing or empty alt attributes on images
  • Unlabeled buttons and icons
  • Missing captions on video content

Color and Contrast

  • Text with insufficient contrast ratios (WCAG AA/AAA standards)
  • Color-only information without alternative indicators

Forms and Labels

  • Form inputs without associated labels
  • Missing or incorrect for attributes on labels
  • Unlabeled fieldsets and legend elements

Document Structure

  • Improper heading hierarchy (skipping levels like H1 → H3)
  • Missing page landmarks (main, navigation, contentinfo)
  • Duplicate IDs on page elements

ARIA and Semantics

  • Invalid ARIA roles and attributes
  • Missing required ARIA properties
  • Misused semantic HTML elements

Keyboard Navigation

  • Interactive elements not keyboard accessible
  • Missing focus indicators
  • Keyboard traps preventing escape

Benefits for Your Development Team

Shift-Left Testing: Catch accessibility issues before code review, reducing remediation costs and timeline pressure.

Developer Education: Detailed violation reports help your team understand why issues matter and how to fix them, building accessibility expertise across the organization.

Continuous Improvement: Integrate accessibility testing into your CI/CD pipeline to prevent regressions.

Compliance Confidence: Demonstrate accessibility commitment to stakeholders, customers, and regulators.

Inclusive Products: Build applications that work for everyone, expanding your user base and market reach.

Getting Started

CodeFrog makes accessibility testing accessible to developers of all experience levels. Whether you’re building a new feature or auditing an existing application, the Web Testing feature provides actionable insights to improve your digital products.

Start testing today and join the movement toward truly inclusive web development.

CodeFrog: Empowering developers to build accessible, inclusive applications.

Solving Drag-and-Drop in Flutter macOS: A Journey

by

The Problem

Implementing native drag-and-drop functionality in a Flutter macOS application that works seamlessly with scrolling and file selection proved to be one of the most challenging features we’ve built. The goal was simple: allow users to drag files into and out of CodeFrog, supporting both local and network (SSH) projects, while maintaining smooth scrolling and file selection.

Initial Attempt: super_drag_and_drop

We started with the super_drag_and_drop package, which provides cross-platform drag-and-drop support. While it worked for basic scenarios, we encountered several issues:

  1. Unreliable drag-out for remote files – Files on network/SSH connections needed to be downloaded before dragging, and the async nature of this operation caused frequent failures
  2. Gesture conflicts – The package’s gesture recognizers conflicted with Flutter’s built-in scrolling and selection mechanisms
  3. Limited control – We needed more fine-grained control over the drag-and-drop behavior, especially for handling remote file downloads

After many hours of debugging and attempting workarounds (pre-downloading files, using virtual files, adjusting gesture recognizers, etc.), we decided to build a custom solution using native macOS APIs.

The Custom Solution: flutter_macos_drag

We built a custom Flutter plugin (flutter_macos_drag) that uses native macOS NSDraggingSource and NSDraggingDestination protocols directly. This gave us complete control over the drag-and-drop behavior.

Key Components

  1. MacOSDraggable – A Flutter widget for dragging files out of the app
  2. MacOSDroppable – A Flutter widget for accepting file drops from Finder
  3. DraggableNSView – Native Swift view implementing NSDraggingSource and NSDraggingDestination

The Challenge: Scrolling vs Drag-and-Drop

The biggest challenge was making drag-and-drop work while preserving scrolling functionality. The native AppKitView needed to be in the widget hierarchy to receive drag events, but it was blocking pointer events needed for scrolling.

Failed Approaches:

  • Using IgnorePointer – Blocked drag events
  • Using AbsorbPointer – No effect
  • Using Listener with HitTestBehavior – Still blocked events
  • Reversing Stack order – Drag events didn’t reach the native view

The Solution: hitTest Override

The breakthrough came from understanding how macOS handles drag events vs pointer events:

  1. Drag events work at the NSView level and query all registered views directly, completely bypassing Flutter’s pointer system and hit testing
  2. Pointer events (scrolling, clicking) go through normal hit testing

By overriding hitTest in the native view to return nil for drop zones, we allow pointer events to pass through to Flutter widgets below, while drag events still work because they query registered views directly.

override func hitTest(_ point: NSPoint) -> NSView? {
    // For drop zones, return nil to let pointer events pass through to Flutter
    // Drag events don't use hitTest - they query all registered views directly
    if acceptDrops && filePath == nil {
        return nil
    }
    return super.hitTest(point)
}

Additionally, we made mouse event handlers return early for drop zones:

override func mouseDown(with event: NSEvent) {
    // For drop zones, don't handle mouse events - let them pass through for scrolling
    if acceptDrops && filePath == nil {
        return // Don't call super - allows events to pass through
    }
    // ... handle drag-out logic
}

Widget Structure

The final widget structure uses a Stack with the native view on top:

Stack(
  children: [
    // Native view on top - configured to not block pointer events
    Positioned.fill(
      child: Opacity(
        opacity: 0.01,
        child: AppKitView(...),
      ),
    ),
    // Flutter widgets below - receive pointer events for scrolling
    widget.child,
  ],
)

Features Achieved

Drag files out – Works for both local and network files
Drag files in – Accepts drops from Finder into any directory
Scrolling – File tree pane scrolls smoothly
File selection – Click to select files works normally
Remote file handling – Downloads remote files on-demand during drag
Root directory support – Can drop files at project root (empty path)

Key Technical Insights

  1. macOS drag events bypass Flutter’s pointer system – They query all registered views directly, so IgnorePointer and similar widgets don’t affect them
  2. hitTest controls pointer events, not drag events – Returning nil from hitTest allows pointer events to pass through while drag events still work
  3. View registration is separate from hit testing – Views registered with registerForDraggedTypes receive drag events regardless of hitTest results
  4. Mouse event handlers must return early – For drop zones, don’t call super in mouse event handlers to allow events to pass through

Lessons Learned

  • Sometimes a custom native solution is necessary when cross-platform packages don’t meet specific requirements
  • Understanding the underlying platform APIs (NSDraggingSource/NSDraggingDestination) is crucial
  • The interaction between Flutter’s pointer system and native platform views requires careful consideration
  • Persistence pays off – this took many hours but resulted in a robust, maintainable solution

This solution was developed over many hours of debugging and research. The key was understanding that macOS drag events operate at a different level than pointer events, allowing us to let pointer events pass through while still receiving drag events.

CodeFrog beta available for testing

by

CodeFrog for Mac Desktop now available for open testing. It’s a tool for developers.

https://testflight.apple.com/join/xz2v1wYq

I’d love it if you take a look if you’re a dev. Accessibility testing, security testing, bulk domain security testing via DNS API, analyze code with static analysis tools, find vulnerabilities with OSV, HTML validation, GitHub PR response automation, connect to servers via ssh and view your cpu, ram, hd usage.