Allowing users to use the bulk of your service without receiving cookies.

the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.

Cross-site scripting (XSS) vulnerabilities (even in other applications running on the same domain) allow attackers to bypass essentially all CSRF preventions.

The NoScript extension for Firefox mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing authentication & payloads from POST requests sent by untrusted sites to trusted ones. The Application Boundary Enforcer module in NoScript also blocks requests sent from internet pages to local sites (e.g. localhost), preventing CSRF attacks on local services (such as uTorrent) or routers.

The Self Destructing Cookies extension for Firefox does not directly protect from CSRF, but can reduce the attack window, by deleting cookies as soon as they are no longer associated with an open tab.

The advantage of this technique over the Synchronizer pattern is that the token does not need to be stored on the server.

The same-origin policy prevents an attacker from reading or setting cookies on the target domain, so they cannot put a valid token in their crafted form.

Security of this technique is based on the assumption that only JavaScript running on the client side of an HTTPS connection to the server that initially set the cookie will be able to read the cookie's value.

As the token is unique and unpredictable, it also enforces proper sequence of events (e.g. screen 1, then 2, then 3) which raises usability problem (e.g. user opens multiple tabs). It can be relaxed by using per session CSRF token instead of per request CSRF token.

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

Attacks were launched by placing malicious, automatic-action HTML image elements on forums and email spam, so that browsers visiting these pages would open them automatically, without much user action. People running vulnerable uTorrent version at the same time as opening these pages were susceptible to the attack.

Details were not released, citing "obvious security reasons".

Cross-site request forgery is an example of a confused deputy attack against a web browser because the web browser is tricked into submitting a forged request by a less privileged attacker.

This link may be placed in such a way that it is not even necessary for the victim to click the link. For example, it may be embedded within an html image tag on an email sent to the victim which will automatically be loaded when the victim opens their email.

A user who is authenticated by a cookie saved in the user's web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action.

Data tainting[edit] Netscape Navigator briefly contained a taint checking feature. The feature was experimentally introduced in 1997 as part of Netscape 3.[10] The feature was turned off by default, but if enabled by a user it would allow websites to attempt to read JavaScript properties of windows and frames belonging to a different domain. The browser would then ask the user whether to permit the access in question.

This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies[1] to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on the client-side to prevent the loss of data confidentiality or integrity.

Cross-site scripting attacks are a case of code injection.

A reflected attack is typically delivered via email or a neutral web site. The bait is an innocent-looking URL, pointing to a trusted site but containing the XSS vector. If the trusted site is vulnerable to the vector, clicking the link can cause the victim's browser to execute the injected script.

By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, to session cookies, and to a variety of other information maintained by the browser on behalf of the user.

Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system.

Any code designed to do more than spread the worm is typically referred to as the "payload".

Please you please cc when you create that issue. It will probably help me reproduce with rollup too.

Currently people are working around this using process.env['SECRET'] to avoid the string replacement

How do I setup a path alias? permalink First, you need to add it to the Vite configuration. In svelte.config.js add vite.resolve.alias: // svelte.config.js import path from 'path'; export default { kit: { vite: { resolve: { alias: { $utils: path.resolve('./src/utils') } } } } }; Then, to make TypeScript aware of the alias, add it to tsconfig.json (for TypeScript users) or jsconfig.json: { "compilerOptions": { "paths": { "$utils/*": ["src/utils/*"] } } }

How do I hash asset file names for caching? permalink You can have Vite process your assets by importing them as shown below: <script> import imageSrc from '$lib/assets/image.png'; </script> <img src="{imageSrc}" />

noReload Type: bool Default: false

noPreserveState Deprecated: removed and default changed from version 0.12. Use preserveLocalState instead.

Well, since you're reading this, let me tell you a little more about HMR. Magic is actually not such a good think in software development, so if we can demystify HMR a bit, it will probably benefits you when it comes to answer setup questions or, generally, get the most out of your HMR experience.

most of my 1K+ packages

There are two ways to move your packages to ESM:Pure ESMThis has the benefit that it’s easier to set up. You just add "type": "module" to your package.json, require Node.js 12, update docs & code examples, and do a major release.

CommonJS has served us well for many years, but ESM comes with many benefits, like language-level syntax, browser support, defaults to strict mode, async loading, top-level await, improved static analysis & tree-shaking, and more.

Rip off the bandaid and completely move to JavaScript Modules.

There are two ways to handle the migration:Pure: Rip off the bandaid and completely move to JavaScript Modules.Dual: Introduce a build step that transpiles a CommonJS fallback.

After discussion with the team, we're going to avoid Request and Response in favour of POJOs, which are much less cumbersome.

In a serverless-first world this gets a bit trickier. It needs to be possible to do both things, in a way that maps to the various serverless platforms out there, which most likely precludes using the (req, res) => {...} signature (and by extension, the ecosystem of Express middleware).

Something people seem to trip over a bit is the fact that session, despite being a writable store, doesn't get persisted. I wonder if we can address that:

We don't interact with the req/res objects you might be familiar with from Node's http module or frameworks like Express, because they're only available on certain platforms. Instead, SvelteKit translates the returned object into whatever's required by the platform you're deploying your app to.

Building an app with all the modern best practices — code-splitting, offline support, server-rendered views with client-side hydration — is fiendishly complicated. SvelteKit does all the boring stuff for you so that you can get on with the creative part.

makes your app inaccessible to users if JavaScript fails or is disabled (which happens more often than you probably think).

Service workers act as proxy servers that handle network requests inside your app. This makes it possible to make your app work offline, but even if you don't need offline support (or can't realistically implement it because of the type of app you're building), it's often worth using service workers to speed up navigation by precaching your built JS and CSS.

This function runs both during server-side rendering and in the client, and allows you to get data for a page without (for example) showing a loading spinner and fetching data in onMount.

When you add a redirect with cPanel interface, the system places redirect rules at the bottom of the .htaccess file.

Select a redirect type from the Type menu. Permanent (301) — This setting notifies the visitor’s browser to update its records. Temporary (302) — This setting does not update the visitor’s bookmarks.

Forwarding and URL is equivalent to Redirecting an URL. Is the same concept. You can use the words interchangeably. However, while redirecting normally refer to the practice of sending an HTTP 30x status code (generally 301 for permanent and 302 for temporary redirects) the word forwarding assumes a broader meaning. In fact, several companies (including GoDaddy) provides different type of forwarding: forward (redirect) forward with masking Forwarding an URL using the masking technique means instead of redirecting to the target transparently, the target URL is opened in a frame so that the visitor will always see the source URL in the address bar.

Post/Redirect/Get (PRG) is a web development design pattern that lets the page shown after a form submission be reloaded, shared, or bookmarked without ill effects, such as submitting the form another time.

To solve this, many people resort to a nounVerb naming schema, but this has it’s problems. For one thing, it feels unnatural to many people; postAdd just doesn’t read as well as addPost.

Current tooling doesn’t allow for a simple way to group your mutations, so a large list of them can make it difficult to see what sort of operations you can perform on a given resource (eg. add, delete, promote, hide, like, etc).

The query name doesn't have any meaning on the server whatsoever. It's only used for clients to identify the responses (since you can send multiple queries/mutations in a single request).

In fact, you can send just an anonymous query object if that's the only thing in the GraphQL request (and doesn't have any parameters):

Name your mutations verb first. Then the object, or “noun,” if applicable; createAnimal is preferable to animalCreate.

Case stylesField names should use camelCase. Many GraphQL clients are written in JavaScript, Java, Kotlin, or Swift, all of which recommend camelCase for variable names.Type names should use PascalCase. This matches how classes are defined in the languages mentioned above.Enum names should use PascalCase.Enum values should use ALL_CAPS, because they are similar to constants.

It is common good practice to use camelCase for your fields and pascalCase for the names of types.

When working with mutations it is considered good design to return mutated records as a result of the mutation. This allows us to update the state on the frontend accordingly and keep things consistent

Can you re-open this until we fix it?

I hope I won’t forget, but I’ll come back to you once we’ve got an idea on how to improve this Svelte API

Also don’t forget to call toPromise() on the Return value or it won’t execute :)

the only way to make it work is to do something like $: result = mutation(...) but it doesn't make sense, I don't want to run the mutation after each keystroke.

Currently the mutate helper in Svelte runs immediately as we’re still figuring out patterns. However, if you call a mutation programmatically you can use getClient() and call client.mutation, like so: https://formidable.com/open-source/urql/docs/concepts/core-package/#one-off-queries-and-mutations We’re still working on idiomatic Svelte APIs so this one’s also on our list to figure out what the best way forward is

For context, the previous API had a lazy promise. Currently I’m thinking we could just return a closure like in the React API

IMPORTANT Please do not ignore this template. If you do, your issue will be closed immediately.

So it can issue a cross-sign whose validity extends beyond the expiration of its own self-signed certificate without any issues.

The self-signed certificate which represents the DST Root CA X3 keypair is expiring. But browser and OS root stores don’t contain certificates per se, they contain “trust anchors”, and the standards for verifying certificates allow implementations to choose whether or not to use fields on trust anchors. Android has intentionally chosen not to use the notAfter field of trust anchors. Just as our ISRG Root X1 hasn’t been added to older Android trust stores, DST Root CA X3 hasn’t been removed. So it can issue a cross-sign whose validity extends beyond the expiration of its own self-signed certificate without any issues.

Please ensure that if the lookup fails, the exception indicates which part of the name caused the failure. It's waaay past time that the industry moves past "ENOENT: No such file or directory" in its exception reporting :)

GraphQL Field Resolution Method Dispatch type class field method obj receiver args method arguments ctx runtime state

In real life I ride a Ninja, the last in a line of many bikes over more than forty-five years. However, within this game I've apparently never ridden a sport bike. Or any motorcycle. Or a bicycle. Or watched people ride. Or walked upright. I'm playing with a Thrustmaster joystick, but frankly I might as well be controlling the bike with a Ouija board. If I can not hit a wall, it's a personal victory. Personal victories do not occur often. Instead of the feeling that I'm controlling an exquisitely balanced, steep fork angle sport bike, or even a full dress Harley with an enormously fat passenger and two flat tires, I feel like I'm controlling a rocket-powered lawnmower with several missing tires. Perhaps towing a couple trailers connected with springs. Dying fish don't flop around like me. In forty minutes I've not come close to anything resembling control, much less fun, and I've hit my limit on time I'm willing to throw at it. Wasted money for me; time to acknowledge my mistake, uninstall and get on with my life.

1. The main folder names have numbers in front of them, such as 0-base to ensure that the folders stay in that particular order. You can certainly omit this or choose different folder names.

Note that not all of the colors in SMUI read from CSS variables, so some parts will still use the colors defined in the original Sass compile.

Because of that, it's essential that the bundler doesn't treat the package as an external dependency. You can either modify the external option under server in rollup.config.js or the externals option in webpack.config.js,

or simply install the package to devDependencies rather than dependencies, which will cause it to get bundled (and therefore compiled) with your app:

The super hacky alternative... using an error's stack trace When I got this to work I literally laughed out loud 😂. It might be the most hacky solution to a problem I've found yet

It's a chicken-and-egg-like problem: If we use module: 'commonjs', then if any TS files import ES Modules (indirectly in their dependency graph), then Node throws an error because CommonJS modules can not import ES Modules.

abandoned

You would struggle to fit a list of all the issues onto the Great Wall of China even with tiny handwriting, but here are a couple of very simple UI issues that make me think, if you can't get this right, why are you bothering?

The thing that makes the client-side invocation return the same data as the server-side one is that the results of calling fetch during SSR are serialized and inlined into the page. This ensures consistency when the page hydrates, and saves network round-trips (and also means less data needs to come over the wire, since everything can get compressed using the same gzip dictionary or whatever).

This allows you to have any sort of object as a prop (e.g. you could dynamically import a component inside load and use it with <svelte:component>).

Using unfinished software to build an app that will be seen by millions of people is a risk, and in general I don't recommend it. But it has enabled us to develop the app much faster, and has made the framework itself much stronger than it otherwise would be.

Vite falls into the same category as Snowpack.

Use cases: Volumes are most useful when you need more storage space but don’t need the additional processing power or memory that a larger Droplet would provide, like: As the document root or media upload directory for a web server To house database files for a database server As a target location for backups As expanded storage for personal file hosting platforms like ownCloud As components for building more advanced storage solutions, like RAID arrays

Familiarity: Volumes function as generic block devices, so you can treat attached volumes like locally connected storage drives. This lets you partition, format, and manage volumes with familiar tools and techniques.

However, the novelty wears off quickly and the whole thing soon becomes a slog — the career mode could be cut in half and the experience would be better for it.

However, as powerful as the <picture> element is, sometimes it gives us more power than is actually needed to achieve suitable responsiveness. Sometimes all it really takes is a regular <img> element using the srcset and sizes attributes inline.

That image only contains 200 pixels horizontally, but the browser stretches it to 400px wide or even farther!Luckily, you’ll see there’s an easy “fix” there at the end: our old good friend the width attribute!<img src="example.gif", srcset="example.gif 200w" sizes="(min-width: 400px) 400px, 100vw" width="200" /* <=== TA-DA! */ class="logo">As long as you can specify the width attribute so it reflects the true maximum size of your largest image, you won’t run into this problem of having sizes make your image wider than it naturally should go.

The selected source size affects the intrinsic size of the image (the image’s display size if no CSS styling is applied).

Of course in the world of responsive images, we put constraints on our images with CSS:img { max-width: 100%;}Now the image appears at it’s natural size unless it’s constrained by the parent container! Excellent.

Any news on this? It has been over a year?

Cadence on the other hand is about the rhythm at which the business can regularly and consistently delivery projects that effect change.

Agile as a methodology is designed to be adaptive to multiple conditions and drivers to enhance the speed of delivery, but it is most successful when the organisation adopting it understands its own in-built cadence, i.e. its specific rhythm of project delivery.

Note the difference between pace and cadence. Pace is 1/speed in (eg. min/km) whereas cadence refers to steps/minute

Why, it's a pleasure, and thank you kindly; glad to have been of help! =)

That's it! Yay! I have to say that you sure know your stuff. Thanks.

What I am attempting to do is to highlight a div with a certain id, when It has been referred to by an anchor on another page IE: User clicks link href="qw.html#test", when the page is loaded, then the div with the id="test" is highlighted so that the user can see it clearly.

You need to use the :target pseudo-class: :target { background-color: #ffa; }

I am unable to change the name and URL of my Kickstarter account.

My name is Floyd Lu, I have been designing and publishing games since 2015 under B&B Games studio. In 2020 B&B Games studio dissolved. I took over a part of the business including this account. I am unable to change the name and URL of my Kickstarter account. I delivered and personally worked on each project that I did and I can't transfer all the followers, therefore, I am still launching new projects under this account.

Without links, the World Wide Web would be more appropriately called the World Wide Set Of Unrelated Pages, or, incidentally, WWSOUP.

While it’s great how simple and effective the process is of “linking” pages together, I think there’s room for improvement.

deep URLs are not allowed in the "Website" field. If you use keywords or deep URLs, your comment or URL will be removed.

when HTML5 started, the feedback from the HTML5 guys was pretty clear: HTML5 is there to improve web apps (standards-based flash! yay!), and not to improve HTML as a hypermedia format. http://dret.typepad.com/dretblog/2008/05/xhtml-fragment.html was a very early attempt to raise the issue and was shot down promptly. with HTML5 now branching into so many micro-specs (https://github.com/dret/HTML5-overview), maybe there’s a good chance to simply create a “FragIDs in HTML5” spec and see if there’s any community uptake. it would be great to see this getting started, and maybe IETF with its more open process would be a better place than W3C.

For this very reason, we have the hx’s on our site dynamically create id’s. I love being able to direct people directly to a particular part of a page when I find something interesting, but the problem is that only we, as developers, know how to do this.

I like the idea in theory, however it doesn’t feel very robust – you are relying on the layout of the page in question. Many authors regularly revisit articles and add new sections and paragraphs. Now your #h2:3 link points to a previous section. (This is far less likely to happen with IDs.)

Linking directly to someone’s blog comment is very useful. Even if a blog doesn’t have an active link for each comment, it’s pretty easy to use developer tools to find the comment’s id and link to it. I’ve done this many times on Smashing Magazine (they don’t have live links on each comment). If there was no way to link to an individual blog comment, this would be a great hindrance to linking on the web. It would not be enough to link to the “#comments” section and then hope for the best. So CMSs like WordPress do the right thing by dynamically adding a unique identifier to each comment.

The reason fragments should be identifiable by users is because a user, not the content creator or the developer, will ultimately decide whether or not a portion of content is valuable or notable in some way.

Yes, the content creator should have the ability to decide how a page is generally divided, if they choose to do so. But the end user should not be restricted from linking to content fragments just because a developer couldn’t be bothered to add id attributes to every element on the page. And that’s besides the fact that it would be a waste of time for a developer to do that or to have to build a CMS that does it automatically.

The simple problem that I see with fragment identifiers is that their existence and functionality relies completely on the developer rather than the browser. Yes, the browser needs to read and interpret the identifier and identify the matching fragment. But if the developer doesn’t include any id attributes in the HTML of the page, then there will be no identifiable fragments. Do you see why this is a problem? Whether the developer has coded identifiers into the HTML has nothing to do with whether or not the page actually has fragments. Virtually every web page has fragments. In fact, sectioning content as defined in the HTML5 spec implies as much. Every element on the page that can contain content can theoretically be categorized as a “fragment”.

So why is it up to the developer (or content creator) to define whether or not a specific portion of the content can be linked to? When any page of content is created, there is no way of knowing which sections of the page are worthy of being identified.

The developer or content creator may have a general idea of how a page’s content might be divided up, but ultimately it will be the linking resource that should have full control over what portion of the page they want to highlight.

This means that, regardless of what the developer has done behind the scenes in the HTML, all HTML fragments on that page should be identifiable by external referrers.

Status: personal view

Editing status: Good enough fo discussion.

There is a fundamental weakness in the name attribute, which the id attribute addresses: the name attribute is not required to be unique. This is OK for forms where you can have multiple elements with the same name, but unsuitable for the rest of the document where you are trying to uniquely identify an element.

Extensions supporting this specification are available for Chrome

Making effective use of this mechanism requires either control of the targeted document or generous creators of targeted documents who have liberally applied id attributes throughout a document.

HTML fragment identifiers, as defined in the registration for the text/html media type [RFC2854] operate on id attributes and (now less frequently) the name attribute of the a, applet, frame, iframe, img and map elements.

[gripe]Email is supposed to be a text-only medium. I can concede a need for rich text - the occasional bold or italic - but background pictures are just needless bloat.[/gripe]

Negative margins are in many cases equivalent to position:relative; with negative position, e.g. position:relative; top:-100px, as in Guffa's answer.

I used to pull stunts like this all the time as soon as tables came. Really ugly, and may seriously embarrass any validator you run it trough: overlapping table cells. Works in most browsers though and even without css.

We haven’t covered this yet, but HEY has another consent-based feature they call the Speakeasy code. When used in the subject line of an email, this code grants the email access straight to the Imbox.

In the earlier example, I used “no-reply@” because this is, unfortunately, a common practice used by many email marketers. As a brand utilizing email, you should never expect a personal experience like email to ever be one-sided.

At its core, we’re all for this concept. For decades, we’ve preached consent and clear opt-ins as best practices for all email senders.

So The Screener really just acts as a second layer of consent—almost like a confirmed opt in.

The difference is that this happens in the email client, not at the subscription step. Why is this a big deal? Because, even though they just subscribed to your email, there’s a chance your email won’t get a thumbs up.

confirmation or refutation would be appreciated

Negative margins get removed by Gmail and others. So, no negative margins.

But in the dark world of HTML email, where the motto is "code like it's 1996" because Outlook uses the rendering engine from MS Word and Gmail removes almost everything, every method for making two elements overlap that I can think of is unsuitable due to poor client support

You can't use negative margin in html email. To mimic this, there are 2 ways to do it, the nested tables way and the more complex rowspan way:

gmail and other mail services are ignoring the negative margin.

You may have noticed your emails looking a little cramped in Hotmail and Outlook.com recently. The culprit? Discontinuation of support for the margin property in these email clients. Rather than honoring your carefully spaced paragraphs and images, Hotmail and Outlook.com are now completely stripping margin from paragraph tags, leaving default values (0 for the top, right and left; 1.35em for the bottom, to be exact) in their place.

Negative values are mostly unsupported in html email. So is CSS position. For webmail at least, this is so that your email doesn't render outside of the desired window. Imagine Gmail with your CSS or email affecting the interface - they've limited the CSS you can use specifically to prevent this.

Yeah, as many developers will tell you, designing/coding for email is an incredibly hit-or-miss proposition...this is simply one more thing that may work in some email clients. The only consistent behavior in HTML/CSS emails is that nothing is consistent. :-)

Rogues Adventure (Tiny Adventure?) is one of literally thousands of 2D retro pixel platformers infesting Steam. This one has you jumping around maze-like 2D puzzle levels collecting coins etc. The usual. They chose to use obsolete retro pixel "art" as a substitute for contemporary PC graphics. It's unclear if this is due to lack of budget or talent, regardless, the overall visual quality of the game is extremely low as a result. Resolution and controls are locked. These flaws push this game far below minimum acceptable standards for PC. This is such a routine platformer, the only remarkable thing about it is the developers didn't even know what name to call it when they launched on Steam.

My Sweet Ants! is a free mobile app that's been dumped from the iOS app store onto Steam. I got my key from DIG in their latest bundle. Why do I do this to myself? This mobile app is a game where you solve jigsaw puzzles of ants which have had anime girl eyes and mouths photo shopped onto them. Every day we stray further from god's light, I guess.Like all mobile apps, the quality is pretty low here. Resolution is fixed so the game falls below acceptable standards for PC.Once more we see greedy mobile devs trying to scam PC gamers. They want $2 USD for this free mobile app! Mobile devs must learn PC gamers are not here to be gouged, and can't be expected to pay a premium for a free mobile app just because it's been lazily dumped on Steam. This is unacceptable disrespect for PC gamers. I didn't spend thousands on a gaming PC so I could pretend it's an iPhone. I can't recommend anyone buys this when you can play it for free on mobile, not that anyone would want to.

You use the webcam of yours like a VR and you are able to operate the car with your own two hands and arms...it's great!

The game is buggy and unplayable, it crashes on launch most of the time. If you can get it to launch, it crashes as soon as you start moving. It's early access, sure, but despite being early access the developer is already selling it as a complete game in bundle stores like Daily Indie Game. Surely that's just an innocent mistake and not some dodgy attempt from a shady developer/publisher to sell an abandoned game as if it was complete.

A funny thing to note is how all the positive reviews for this game are from accounts with free/no products or VAC bans. Probably compromised accounts or something. Gotta love those fake reviews.

Check the reviews run ralph run Moo mei 2 Moo Mei 1 and this game, why do most of the positive reviews either have a VAC ban or 0 achievements in the game showing they haven't played it.

Anyway it's difficult to write too much about the game because it crashes on launch. Broken games don't get thumbs up. I have a dream that one day I'll play an indie game where they bothered testing it. Either way, don't buy broken games. Impossible to recommend.

Would you rather use a friendly drag-and-drop interface rather than coding? Try Passport, the email builder based on MJML!

MJML comes out of the box with a set of standard components to help you build easily your first templates without having to reinvent the wheel.

Components are the core of MJML. A component is an abstraction of a more complex email-responsive HTML layout. It exposes attributes, enabling you to interact with the final component visual aspect.

nside any section, there should be columns (even if you need only one column). Columns are what makes MJML responsive.

MJML has been designed with responsiveness in mind. The abstraction it offers guarantee you to always be up-to-date with the industry practices and responsive. Email clients update their specs and requirements regularly, but we geek about that stuff - we’ll stay on top of it so you can spend less time reading up on latest email client updates and more time designing beautiful email.

No, most css doesn't work in emails, stick to tables and images.

If you're trying to use flexbox as a responsive way to adapt your mails in different devices, well there's a framework for that called MJML hope it works for you.

HTML in emails is somehow in a forgotten world and is about lots of years behind us.

there's a framework for that called MJML hope it works for you

There is a lot of variation in styling support among different mail clients

For now though, you're stuck with <table> and CSS2 support for your layouts.

Write in Markdown

So even if it works for you, you won't know where it breaks.

Honestly, even without flexbox support, most of the layout problems would be solved with simple-basic CSS3 support that is standard in all clients.

With every other change I make, I have to test in a dozen clients and make sure it looks fine. Why is there so much variation in email style implementation amongst different clients?

I'm coding an email for a project and man! it's such a pain. Every other client has it's own implementation and supported rules. Some don't allow even simple properties like background-image while some support most advanced rules like media queries

Anyway... take a look at this framework is basically a responsive framework for emails. Haven't tested it yet but seems to be a very good one.

I haven't done much e-mail templating luckily, but like you said it's a PITA... It would be great if there was some kind of standard though, but that's not going to happen anytime soon

Why are there so many programming languages and frameworks? Everyone has their own opinion on how something should be done. Some of these systems, like AOL, Yahoo, etc... have been around for a decade, and probably not updated much.

Simple fact is that HTML support is different in them because mail clients are so old, or others are allowed to operate in browsers where not all CSS or even HTML can be applied in a secure manner. Older clients have outdated browsers that you'll likely NEVER see brought up to standards; what with Opera's standalone aging like milk, and thunderbird lagging behind the firefox on which it's even built. Don't even get me STARTED on older clients like Eudora or Outlook.

But more so, external style cannot be applied to a subsection of a web page unless they force it into an iframe, which has all sorts of issues of it's own which is why external CSS is usually ignored. Inline CSS is often stripped by the tag strippers who don't want you turning things on or off... and media queries shouldn't even play into it since the layout should be controlled by the page it's being shown inside (for webmail) or the client itself, NOT your mail.

Whilst I realize the artsy fartsy types get a raging chodo over their goofy PSD based layout asshattery

That's what's supported, and is all that is EVER likely to be supported... and even then be DAMNED sure you send multipart with a plaintext copy or a great many mail servers will flat out reject it on the assumption that no legitimate e-mail has any damned business even having HTML in it in the first place!

that garbage has ZERO damned business in an e-mail which is why a great many places use HTML only e-mail as a trigger for spam detection! (if you send multipart as both text/html and text/plain, you're fine)

That's something that has been bugging me too. I mean, it's fine if not everything is supported, but if everyone could agree on what is or should be supported then that would make a huge difference. But until then, it's going to be a struggle.

I've worked with people at companies where this was their only responsibility. Setting up emails for clients, making sure they pass a battery of tests and look great in all browsers and clients. It's an incredible PITA and it's not a set it and forget it thing. Clients can change month to month; spam filters change, etc...

Email is Hard: learn how MJML will help you.

Write less code, save time and code more efficiently with MJML’s semantic syntax.

Also cross-compatibility with mail clients can be hairy, so you should see what the industry experts are doing.

I hate to be the guy who will destroy your day but... Tables. You need to work with nested tables/cells. If you think Gmail is annoying you will cry in agony if you also need Outlook support.Work with the good old HTML from the early 2000's. That's the only way to be sure everything will work as intended.Anything else will mostly result in a horrible mess, broken design and incompatible layouts.

(And please, no "use a different email design service" answers, I don't have control over that)

iOS 9 and 10 support @supports. Make sure your ESP is not stripping it, or feel free to share your code so we can help you.