For the privacy-conscientious user, your site provides one of the worst experiences I've ever seen.
To get anything to work, I had to allow scripts from www.codewars.com, push.codewars.com, two CloudFlare domains, AND platform.twitter.com. While my usual process to get JS-heavy web apps to work is load scripts from the domain itself, plus any standard CDN domains (like CloudFlare), your site does not work without widgets.js from Twitter, which is pretty crazy.
You depend on three different CloudFlare subdomains - one of which serves a tracking script, on top of you trying to load tracking scripts from MixPanel, Google Analytics, Rollbar, Intercom, Twitter and Facebook. I only loaded what I had to, but I think it's safe to assume that you would have pushed more domains on to me had I loaded everything.
Edit: the complaints in the two paragraphs below are invalid (can't strikethrough on HN) - I mistook the authentication form as requesting my GitHub credentials, whereas the "GitHub" title is a link to GitHub's oauth page, and they also provide the option for creating a CodeWars account without linking your GitHub. The visual distinction between these two authentication mechanisms is near-invisible on my laptop's monitor. Anyway, according to
guptaneil (below), they will still require you to create an account with them after linking your GitHub, so don't bother.
-Normally I would just dismiss such a privacy-flippant site as yours, but what pushed me to make a comment is that you prompted me to type in my GitHub password on your site, on a form with an action against your server. This is absolutely horrendous. You should only input your GitHub password on pages at, and send it to, servers at https://*.github.com. I can only feel sorry for all the users who have fallen for this. I feel worse for those users without NoScript, who have unknowingly typed their GitHub password into a tab with scripts from about 10 different companies running - do you trust all of them to not log your password? Even the analytics companies?-
-I've flagged this post, and for anyone who typed their GitHub credentials into this site, I'd recommend you reset your password.-
Sorry for the confusion on the signup Majika. We aren't asking for your Github credentials, but are offering a link to connect your Github account securely via oauth and Github.com (it’s optional). The fields for email/password are to set details for your new account on Codewars. If you accidentally entered your Github info there we can manually delete the account for you.
We do load quite a few 3rd party libraries, though only to make the user experience even better. All of these services are pretty standard and most of these should be familiar with many web developers. Intercom allows us to communicate in real-time with our users, Rollbar allows us to monitor client-side exceptions, mixpanel and google for analytics, twitter and facebook for social. You bring up a good point though that for users who wish to disable these, there are integration points within our code that would most likely cause errors to be thrown. We can certainly work on decoupling our code so that it silently ignores calls to these APIs.
Thanks for the response. I'm very happy to hear that you consider the hard-dependency on external scripts a problem, and that you are willing to accommodate users who prefer to control who their browser talks to.
The UI on their site is extremely unclear and I initially made the same assumption, but they're not asking for your GitHub password. They are asking you to enter in a password for their site to create an account. I still have no idea why it was necessary to link my GitHub account though, since I had to create a new codewars account anyway.
Glad you were able to make the distinction, we are working on making Github's integration cleaner. The intention is to allow you to link your github account, so that you can use it for return access to Codewars. It's also meant to auto-populate your username/email and not require password - which we just realized is broken.
To get anything to work, I had to allow scripts from www.codewars.com, push.codewars.com, two CloudFlare domains, AND platform.twitter.com. While my usual process to get JS-heavy web apps to work is load scripts from the domain itself, plus any standard CDN domains (like CloudFlare), your site does not work without widgets.js from Twitter, which is pretty crazy.
You depend on three different CloudFlare subdomains - one of which serves a tracking script, on top of you trying to load tracking scripts from MixPanel, Google Analytics, Rollbar, Intercom, Twitter and Facebook. I only loaded what I had to, but I think it's safe to assume that you would have pushed more domains on to me had I loaded everything.
Edit: the complaints in the two paragraphs below are invalid (can't strikethrough on HN) - I mistook the authentication form as requesting my GitHub credentials, whereas the "GitHub" title is a link to GitHub's oauth page, and they also provide the option for creating a CodeWars account without linking your GitHub. The visual distinction between these two authentication mechanisms is near-invisible on my laptop's monitor. Anyway, according to guptaneil (below), they will still require you to create an account with them after linking your GitHub, so don't bother.
-Normally I would just dismiss such a privacy-flippant site as yours, but what pushed me to make a comment is that you prompted me to type in my GitHub password on your site, on a form with an action against your server. This is absolutely horrendous. You should only input your GitHub password on pages at, and send it to, servers at https://*.github.com. I can only feel sorry for all the users who have fallen for this. I feel worse for those users without NoScript, who have unknowingly typed their GitHub password into a tab with scripts from about 10 different companies running - do you trust all of them to not log your password? Even the analytics companies?-
-I've flagged this post, and for anyone who typed their GitHub credentials into this site, I'd recommend you reset your password.-