Bloopist was alerted to a CORS vulnerability by Jens Mueller on August 21, 2017. That vulnerability is now patched. More details can be found in Fixing CORS Security Holes.
Bloopist suffered a ton of downtime over the past couple months. Downtime was around 1 or 2 full days per month due to server instability. The issue was very difficult to track down, but it seems to have been related to how Bloopist was acquiring TLS certificates for each blog that it hosts.
Bloopist provides a custom subdomain for every blog and custom domains for paying blogs. These domains and subdomains are protected by individual TLS certificates provided by Let's Encrypt. Due to the great number of blogs on Bloopist, it was necessary to automate the task of retrieving certificates from Let's Encrypt. For this, the OpenResty plugin lua-resty-auto-ssl was used. Bloopist was running into rate limits with Let's Encrypt from the start. This wasn't a problem initially as lua-resty-auto-ssl handled those errors correctly. The Bloopist servers tracked which blogs had been issued TLS certificates at which domains and automatically served blogs over http or https as appropriate.
However, Bloopist appeared to hit a second rate limit with Let's Encrypt that the lua-resty-auto-ssl plugin didn't handle as well. This resulted in the lua-resty-auto-ssl plugin causing the OpenResty to stop serving requests to the Bloopist application servers. The exact problem that occurred has not been determined yet, so in the mean time an interim solution has been implemented: only selected blogs will be served over https. The remaining blogs will be served over insecurely over http until the issue with lua-resty-auto-ssl is resolved.
This is a simple test post to show that jQuery can be used to retrieve JSON data from the Bloopist servers and display it in the current page. The code is contained within an iframe sandbox to ensure it is safe for the end user.
Title: <div id="title">title not loaded yet...</div><br/>
Author: <div id ="author">author not loaded yet...</div><br/>
Body: <div id="body">body not loaded yet...</div>
var url = "https://blog.kurttomlinson.com/posts/3.json";
If you want to use jQuery in your Bloopist posts, you should use the versions that Google hosts:
Luckily, Google hosts a lot of different versions of jQuery (2.1.4, 2.1.3, 2.1.1, 2.1.0, 2.0.3, 2.0.2, 2.0.1, 2.0.0, 1.11.3, 1.11.2, 1.11.1, 1.11.0, 1.10.2, 1.10.1, 1.10.0, 1.9.1, 1.9.0, 1.8.3, 1.8.2, 1.8.1, 1.8.0, 1.7.2, 1.7.1, 1.7.0, 1.6.4, 1.6.3, 1.6.2, 1.6.1, 1.6.0, 1.5.2, 1.5.1, 1.5.0, 1.4.4, 1.4.3, 1.4.2, 1.4.1, 1.4.0, 1.3.2, 1.3.1, 1.3.0, 1.2.6, and 1.2.3 as of 11/19/2015).
Some other Google Hosted Libraries are AngularJS, Angular Material, Dojo, Ext Core, jQuery, jQuery Mobile, jQuery UI, MooTools, Prototype, script.aculo.us, SPF, SWFObject, three.js, and Web Font Loader!
Bloopist was down unexpectedly for about 21 hours from 11:54 pm (on 11/15/2015) to 8:15 pm today (11/16/2015) central time.
Bloopist is hosted on an Amazon EC2 instance. The hardware that the instance was running on broke without warning. The server stopped responding to the Pingdom monitoring service at 11:54pm, and i recieved an email from Amazon notifing me of the "degradation of the underlying hardware hosting" Bloopist.
If you're interested in seeing what the email that Amazon sends you when you server dies looks like, I've embedded a snapshot of it below: