New Chat
Ctrl
K
  • Websites
  • Docs
  • Slides
  • Sheets
  • Deep Research
Kimi Code Kimi Claw
Chat History
  • Mobile App
  • About Us
    • Visit Moonshot AI
    • Open Platform
    • Features
    • Terms of Service
    • Privacy Policy
  • Language
  • User Feedback

Exposición de código Apple

Cuéntame el anáisis sobre el código filtrado de app.apple.com Ir al contenido principal App Store web has exposed all its source code : r/webdev r/webdev La búsqueda actual está en r/webdev Eliminar el filtro r/webdev y ampliar la búsqueda a todo Reddit Buscar en r/webdev Anunciarse en Reddit Chat abierto Crear Publicar Abrir bandeja de entrada Avatar de usuario Expandir menú de usuario Ir a navegaciónIr a barra lateral derecha Volver Icono de r/webdev Ir a webdev r/webdev • hace 12 d rxliuli App Store web has exposed all its source code r/webdev - App Store web has exposed all its source code The App Store appears to have been rebuilt using Svelte, but they forgot to remove the sourcemap configuration in production, resulting in the complete exposure of the source code. https://apps.apple.com/ I also uploaded a copy to GitHub: https://github.com/rxliuli/apps.apple.com Update: App Store just fixed this issue. Update: Repository unavailable due to DMCA takedown. https://github.com/github/dmca/blob/master/2025/11/2025-11-05-apple.md I will not continue distributing this code, please stop sending me DM or email. Upvote 4,7 mil Downvote 698 Ir a los comentarios Compartir Avatar de u/IONOS IONOS • Patrocinado ¿POR QUÉ NO? Crea gratis una página web en pocos minutos con ayuda de la IA y expande el nombre de tu marca. Incluye dominio, y soporte 24/7 Ordenar ahora ad.doubleclick.net Thumbnail image: ¿POR QUÉ NO? Crea gratis una página web en pocos minutos con ayuda de la IA y expande el nombre de tu marca. Incluye dominio, y soporte 24/7 Comparte tu opinión Ordenar por: Mejores Buscar comentarios Expandir la búsqueda de comentarios Sección de comentarios shakelfordbase • hace 12 d I've had this argument so many times with inexperienced frontend developers. This is not "exposing" their source code. While yes, it may not be minified and it's slightly more human readable, it's not exposing any additional logic. Remember, obfuscation is not security. Upvote 2,6 mil Downvote Responder Premiar Compartir Avatar de u/Careful_Pin_3122 Careful_Pin_3122 • hace 12 d i toy with keeping sourcemaps on because my tech savvy clients can help with bugs lol Upvote 582 Downvote Responder Premiar Compartir philipwhiuk • hace 12 d I toy with it so it’s easier to debug prod issues :) Upvote 305 Downvote Responder Premiar Compartir Informal-Chance-6067 • hace 12 d you test in prod? me too Upvote 511 Downvote Responder 1 Compartir BeastDora • hace 12 d prod-testers assemble!!! Upvote 119 Downvote Responder Premiar Compartir Avatar de u/Gastenns Gastenns • hace 11 d Eventually… everything gets tested in prod…. Upvote 72 Downvote Responder Premiar Compartir BeastDora • hace 11 d Some wise words right here ✌🏼 Upvote 10 Downvote Responder Premiar Compartir Avatar de u/tortleme tortleme • hace 10 d aside from that one feature your client requested but never use Upvote 4 Downvote Responder Premiar Compartir 2 respuestas más ParkerLettuce • hace 12 d Whadup Upvote 13 Downvote Responder Premiar Compartir matthewralston • hace 11 d My users report errors faster than Sentry. Upvote 12 Downvote Responder Premiar Compartir 3 respuestas más MasterBathingBear • hace 11 d Shift Right! Upvote 4 Downvote Responder Premiar Compartir 1 respuesta más 12 respuestas más Avatar de u/hsnk42 hsnk42 • hace 11 d <insert meme> You guys are testing ? Upvote 8 Downvote Responder Premiar Compartir 1 respuesta más InsideResolve4517 • hace 12 d some issues can't be find on local Upvote 17 Downvote Responder Premiar Compartir 7 respuestas más 18 respuestas más kraken665 • hace 11 d Testers? We got hundreds of them, we call them "users" Upvote 8 Downvote Responder Premiar Compartir Avatar de u/micaelbergeron micaelbergeron • hace 12 d Host the sourcemaps on a password-protected HTTP server, or host this on an internal domain (using a VPN, for instance). Connected VPN clients will have the sourcemaps, and everything is transparent to the users. Upvote 18 Downvote Responder Premiar Compartir Avatar de u/UpsetKoalaBear UpsetKoalaBear • hace 12 d Don’t even need to do that, chrome lets you set a local override for the source map so you can just use that. https://developer.chrome.com/docs/devtools/developer-resources Upvote 32 Downvote Responder Premiar Compartir 2 respuestas más 1 respuesta más 6 respuestas más lefnire • hace 12 d • Editado hace 11 d It reminds me of people leaking system prompts for AI agents. Some treat it as educational material. Others act like they've just hacked OpenAI "all your base are belong to us" "You are a helpful agent. You answer questions in an informative, friendly..." Got'em boys! Send out the ransom letter, straight to the bank Upvote 96 Downvote Responder Premiar Compartir CGeorges89 • hace 11 d full-stack When the whole app is a wrapper around a model with a tailored prompt, it is. Upvote 31 Downvote Responder Premiar Compartir TreelyOutstanding • hace 11 d When you whole moat is a system prompt, you don't have a moat. Upvote 15 Downvote Responder Premiar Compartir 2 respuestas más Avatar de u/DankousKhan DankousKhan • hace 12 d Not to mention any code worth a damn isn't client side but somewhere on the server outside of view. Upvote 66 Downvote Responder Premiar Compartir 2 respuestas más f311a • hace 11 d Comments can be sensitive. They mention internal decisions/information. For example, in this code, they have links to at least 4 internal systems with some extra info about tickets/issues. These comments could be business-related and sensitive. Upvote 29 Downvote Responder Premiar Compartir 3 respuestas más Avatar de u/Ethesen Ethesen • hace 12 d It actually is minified. You can see the original code in the screenshot because of source maps. Upvote 36 Downvote Responder Premiar Compartir Avatar de u/justinram11 justinram11 • hace 12 d Similarly, I've had front-end developers very concerned about public keys (such as for Stripe, or an Analytics library) being in the git repo Upvote 15 Downvote Responder Premiar Compartir gyzerok • hace 11 d It’s not slightly more readable, it’s basically how it is in their repository, with all the comments even. So unless we have a a different definition of “exposing their source code” in our heads, that’s exactly what is happening. And I am quite certain about my experience :) Upvote 10 Downvote Responder Premiar Compartir 1 respuesta más 64 respuestas más ricketybang • hace 12 d I'm glad that I'm not the only one shipping stuff like this to production: // TODO: fix... I feel much better now :D Upvote 506 Downvote Responder Premiar Compartir Acalme-se_Satan • hace 12 d I doubt a single person in this world has ever 100% tackled everything in their TODO lists. Upvote 78 Downvote Responder Premiar Compartir Avatar de u/UnnamedPlayer UnnamedPlayer • hace 11 d The secret is to never mark anything as a TODO item unless you want to impress/misdirect the person reviewing your code. Upvote 22 Downvote Responder Premiar Compartir 1 respuesta más Avatar de u/EvoDriver EvoDriver • hace 12 d Seeing this sort of thing makes me mad... When will it be fixed? Who will fix it? What is the fix? What's the ticket number for this? Upvote 52 Downvote Responder Premiar Compartir khizoa • hace 12 d what makes me mad is that nobody asks how is the fix Upvote 114 Downvote Responder Premiar Compartir artemiscash • hace 12 d what makes me even madder is that noone asks why is the fix Upvote 24 Downvote Responder Premiar Compartir 2 respuestas más 1 respuesta más Avatar de u/LunarCrayonsBender LunarCrayonsBender • hace 12 d When will it be fixed? Never Who will fix it? Noone What is the fix? Unknown What's the ticket number for this? Unknown Upvote 29 Downvote Responder Premiar Compartir internizti21 • hace 12 d 1 respuesta más Avatar de u/TheDruidsKeeper TheDruidsKeeper • hace 12 d I honestly don't see a problem with this, and encourage it when appropriate. Not everything needs an immediate solution, so putting a todo for future engineers to be aware of shortcomings is very useful. Creating a ticket should only be done if you intend to address the work "soon", otherwise you're just adding more dead weight to the ticket tracker that may eventually become obsolete if that code is later changed and the todo is no longer relevant. Upvote 24 Downvote Responder Premiar Compartir UnacceptableUse • hace 12 d To be fair, a lot of the ones in this source code have what appears to be ticket numbers attached Upvote 7 Downvote Responder Premiar Compartir usrdef • hace 12 d I have a habit I've tried to break.... but it's not easy. I have a very big issue with OVER commenting my code. If I create a complex function, you're looking at probably a 30 line header comment explaining the function, params, examples, returns. Upvote 7 Downvote Responder Premiar Compartir 4 respuestas más 3 respuestas más 5 respuestas más Avatar de u/micalm micalm • hace 12 d <script>alert('ha!')</script> Frontend code. Not really that big of a deal and not all of it's source code. Upvote 2 mil Downvote Responder Premiar Compartir [eliminado] • hace 12 d 10 respuestas más Avatar de u/kiloCode u/kiloCode • Patrocinado The new GPT-5.1 models are out, and they're all on Kilo Code. Try it today! Read More blog.kilocode.ai Thumbnail image: The new GPT-5.1 models are out, and they're all on Kilo Code. Try it today! Avatar de u/Ugiwa Ugiwa • hace 12 d A lot of comments here talk about security but I think y'all are missing the point - it's really nice to see how a big company like Apple writes and architechtures their frontend.. Upvote 108 Downvote Responder Premiar Compartir Avatar de u/xDo7 xDo7 • hace 11 d Yea, I don't get why everyone is bashing this guy. I found it interesting and I also checked the architecture, thanks guy. Upvote 41 Downvote Responder Premiar Compartir Avatar de u/retardedweabo retardedweabo • hace 11 d they want to feel smart Upvote 13 Downvote Responder Premiar Compartir 2 respuestas más Avatar de u/Maxion Maxion • hace 11 d Agree, it's really nice to see how such an important site for a big company is architectured. They've got orders of magnitude more revenue coming in from this site than the projects I've ever been involved with. It's nice to see where the bar is at. Upvote 7 Downvote Responder Premiar Compartir Leimina • hace 12 d So what? Enabling source maps in production is one valid use case of source maps. Upvote 221 Downvote Responder Premiar Compartir Prudent_Station_3912 • hace 11 d well said Upvote 5 Downvote Responder Premiar Compartir 3 respuestas más peetabear • hace 12 d bro thinks they found a goldmine here Upvote 146 Downvote Responder Premiar Compartir Avatar de u/notnulldev notnulldev • hace 11 d yep, the author sounds like the type of developer that encodes api keys in base64 in his android / ios app and thinks that he is safe Upvote 37 Downvote Responder Premiar Compartir Avatar de u/thekwoka thekwoka • hace 11 d I'm doing some consulting with a multi billion $/yr company and they have an off shore app dev team, and discussing some plans with them it sounds like they just want to embed the secret key directly in the app. When they mentioned that loosely, I mentioned its a secret so it shouldn't be in the app, and the response was "okay, we'll make a call to the server to get the key"... oh kay buddy... it was a bit unclear to me what they were saying, and my role isn't security, but like...damn... Upvote 15 Downvote Responder Premiar Compartir Avatar de u/eyebrows360 eyebrows360 • hace 11 d Please revert on the same. Upvote 4 Downvote Responder Premiar Compartir esr360 • hace 10 d There can sometimes be red herrings. I work for a multi billion $/yr company, and I tried to explain that it's OK if our Amplitude API key is exposed to the client - this is actually by design and not a security issue (there is a separate "secret" key). I was still coerced to add the value to AWS Secrets Manager, retrieve it during build time, only so it can be embedded into our production code that is served to the client and visible to all. It's `05f55c4362d8f3c42f2fb447023e6jd0` incase anyone was wondering. Upvote 4 Downvote Responder Premiar Compartir 1 respuesta más 3 respuestas más 3 respuestas más 1 respuesta más svekl • hace 12 d Might be not a popular opinion but it's sometimes handy to have source maps on production for debugging. It doesn't add to payload if dev tools are not open. And javascript is a code sent as is anyway even if it's minified, you shouldn't hide anything secret there. Upvote 78 Downvote Responder Premiar Compartir Avatar de u/redditfuckingsuckslo redditfuckingsuckslo • hace 12 d if youve got a tool capturing console output, this is invaluable. it seems like a lot of people are expecting their browser level code to be some mystery? Upvote 18 Downvote Responder Premiar Compartir Avatar de u/thekwoka thekwoka • hace 11 d Sentry has options for providing them the source maps to connect errors to without making the source maps public. Upvote 5 Downvote Responder Premiar Compartir Avatar de u/tonkotsu-ai u/tonkotsu-ai • Patrocinado Tonkotsu makes you the tech lead of a team of coding agents. Try it FREE. Descargar tonkotsu.ai Thumbnail image: Tonkotsu makes you the tech lead of a team of coding agents. Try it FREE. neosatan_pl • hace 12 d From a cursory read, quite nicely maintained app. Rather pleasant to read. Some smaller smells, but nothing I would bat an eye. However, calling it "all its source code" is wee sensational. It's the frontend code which they send to the browser anyways. It would be way more interesting to see their backend and/or infra configuration. Other than that, nothing special. Wouldn't even mention it in a conversation. Not to mention making a GitHub page or Reddit thread. Upvote 156 Downvote Responder Premiar Compartir 3 respuestas más danabrey • hace 12 d You realise some companies don't even bother obfuscating JS, right? And that both obfuscating and minifying is to save bytes in transit not for security purposes. The 'source code' of frontend JS is ALWAYS exposed. This isn't the gotcha you think it is. Upvote 166 Downvote Responder Premiar Compartir 27 respuestas más Bloodsucker_ • hace 12 d OBFUSCATION ISN'T SECURITY. Upvote 62 Downvote Responder Premiar Compartir Avatar de u/truly-wants-death truly-wants-death • hace 12 d Did they just forget to minify? Upvote 71 Downvote Responder Premiar Compartir Avatar de u/rxliuli rxliuli OP • hace 12 d • Editado hace 12 d No, they forgot to delete the sourcemap. You can verify this by disabling sourcemap in devtools. Upvote 58 Downvote Responder Premiar Compartir Avatar de u/aequasi08 aequasi08 • hace 12 d maybe its not on accident....? This is honestly not a big deal. Its not even a little deal. Upvote 41 Downvote Responder Premiar Compartir Avatar de u/notnulldev notnulldev • hace 11 d yeah maybe there was some kind of weird bug happening only on prod so they wanted to debug it so included source maps to prod - which can happen Upvote 4 Downvote Responder Premiar Compartir 1 respuesta más AdministrativeBlock0 • hace 12 d Back in the olden days (2001) you could view the unminified source of everything on the web. It's how us old timers learned to build things. View Source Copy it Hack it until you understood Use it on your own site Those were good times. Upvote 35 Downvote Responder Premiar Compartir Ceigey • hace 12 d Heck that probably continued until the early 2010s, I reckon (anecdotally) a lot of sites weren’t minifying their sources until stuff like Gulp came into existence. The average age of commenters here must skew quite young… Upvote 14 Downvote Responder Premiar Compartir skunkwalnut • hace 12 d • Editado hace 12 d you have to go through 10 interview rounds then the actual developers pull some shit like this. Upvote 514 Downvote Responder Premiar Compartir UserAboveMeIsGay • hace 12 d pull shit like what? this doesn't have any value, you could just as well do the F12 on whatever system you're using and get the same result, with minor extra steps. everybody makes mistakes and this one barely makes any difference other than making reasons to poke the guy. Upvote 55 Downvote Responder Premiar Compartir -hellozukohere- • hace 12 d I’m more surprised this has been up for 24 minutes and it has not been removed from GitHub. I am sure even though it is all technically “public” some VP at Apple when they catch wind, this repo and the dev at Apple is done. Upvote 100 Downvote Responder Premiar Compartir SafetyAncient • hace 12 d a front end app is intended to run on a client pc, obfuscation of the source code only makes it difficult but not impossible to read through the logic. the "source code" there is a clientside app where the user's actions are only preliminary requests to the secure remote server, theres no "leak" of any kind in letting your client see what your code is doing on their computer. to think anyone gets fired over this shows a lack of basic understanding of a distributed online system. youre viewing this on a web browser that received clientside "exposed source code", woopdydoo. obfuscation is kidn of trivial with AI pattern recognition anyways Upvote 82 Downvote Responder Premiar Compartir 3 respuestas más Avatar de u/AtatS-aPutut AtatS-aPutut • hace 12 d I made a copy of the source code just in case this happens Upvote 47 Downvote Responder Premiar Compartir pong-and-ping • hace 12 d And you will not be the only one. Probably why apple isn't too bothered, good old hydra logic, take this repo down, two more will just pop up. That and, it isn't that bit of a deal. Upvote 30 Downvote Responder Premiar Compartir 3 respuestas más 4 respuestas más neosatan_pl • hace 12 d I doubt it. It's a non-issue. People already had access to this code and it's only sourcemaps. There would have to be some really stupid shit there (that shouldn't be there in the first place) for a technical VP to bat an eye at news like this. Upvote 24 Downvote Responder Premiar Compartir 3 respuestas más Avatar de u/drabred drabred • hace 12 d I bet they can invert binary tree and implement some sorting algo. on a piece of paper though right?! How cool is that. Upvote 17 Downvote Responder Premiar Compartir 2 respuestas más 6 respuestas más Avatar de u/Appropriate_Shock2 Appropriate_Shock2 • hace 10 d • Editado hace 10 d Found one that was re uploaded: https://github.com/2u841r/apps.apple.com . << make sure to add the extra dot, reddit formatting is cutting it off. That was fast lol. Here is another one: https://github.com/minhducdz99/apps.apple.com Make sure to clone it If that doesn't work, search apps.apple.com on github. More will pop up. Upvote 9 Downvote Responder Premiar Compartir 14 respuestas más personaltalisman • hace 12 d How do you figure they forgot? It’s quite common to enable source maps in production if you don’t have anything to hide (which you shouldn’t, since your code will be public anyways) and want to make debugging a bit simpler. Especially given such a simple/straightforward frontend like this, that gets accessed using every combination of browser and OS under the sun, I would have made the same choice. But nice clickbait. Upvote 41 Downvote Responder Premiar Compartir Avatar de u/exotic_anakin exotic_anakin • hace 12 d This, as eluded to in other comments, isn't really that big of a deal. Apple neglected to optimize their code by minifying it, or maybe something in the process broke. There's no security problem here, and no "oh my god they're so dumb" moment. It's my understanding that their engineering culture isn't really to slow+careful with things, and they don't focus super hard on high-quality up front. They just sorta "ship it if it works" and brute force problems by throwing expensive engineers at it when things go wrong. Upvote 197 Downvote Responder Premiar Compartir Avatar de u/anamexis anamexis • hace 12 d The code is minified. They shipped their sourcemap, which is perfectly acceptable. https://highlight.io/blog/make-source-maps-public Upvote 31 Downvote Responder Premiar Compartir TheTomatoes2 • hace 12 d Apple used to be the exact opposite of this culture. The downfall of their QA culture is brutal. Upvote 71 Downvote Responder Premiar Compartir 2 respuestas más 20 respuestas más Avatar de u/JarmelWilliams JarmelWilliams • hace 12 d It's nice to see Svelte used at such a large company. Svelte is the best. Upvote 16 Downvote Responder Premiar Compartir tonjohn • hace 11 d It’s interesting that they switched from Vue to Svelte Upvote 4 Downvote Responder Premiar Compartir 1 respuesta más Professional_Job_307 • hace 12 d Front-end javascript is always open to be viewed, it's just often obfuscated. Upvote 24 Downvote Responder Premiar Compartir Avatar de u/AttentiveUser AttentiveUser • hace 12 d Good job! It is good for junior devs to look at code like this I suppose? Upvote 23 Downvote Responder Premiar Compartir 2 respuestas más na_rm_true • hace 12 d This is like me saying I know ur source code cus I know u need air and blood. Upvote 14 Downvote Responder Premiar Compartir Avatar de u/BlackLampone BlackLampone • hace 12 d So they shipped frontend code to the frontend, oh no. Upvote 14 Downvote Responder Premiar Compartir cshaiku • hace 12 d Insignia de perfil para el logro 1% de más votados 1% de más votados Bro thinks they have discovered a goldmine. Probably thinks ‘hunter1’ is stuff of legends. Upvote 14 Downvote Responder Premiar Compartir 6 respuestas más Avatar de u/0daywizard 0daywizard • hace 12 d yiou're acting like it's not incredibly simple to deobfuscate minified JS.. honestly idk if "deobfuscate" is even the right word here given the simplicity.. Upvote 53 Downvote Responder Premiar Compartir Avatar de u/NotSeanPlott NotSeanPlott • hace 12 d “Beauti-Expandify”?? Upvote 23 Downvote Responder Premiar Compartir Avatar de u/ottwebdev ottwebdev • hace 12 d Thats what she said. Upvote 9 Downvote Responder Premiar Compartir 2 respuestas más neortje • hace 12 d Deobfuscating is easy, but a proper minifying will also shorten variable names, remove comments etc which isn’t fixed by deobfuscating. Having the original code does make it more easy to read. It’s not like the OP has hit the jackpot, but having this code in easy readable format does make it a nice example project which gives an idea how a company like Apple uses the framework. Upvote 44 Downvote Responder 1 Compartir 3 respuestas más 16 respuestas más isospeedrix • hace 12 d Whoa. Well technically fe source code is always there but minified but still interesting to see it not minified Upvote 8 Downvote Responder Premiar Compartir _psyguy • hace 11 d I wonder if/when Apple would file a DMCA request to GitHub (or the thing that Google/YouTube did with youtube-dl a while ago) on your repo (and its forks). Not looking forward to that personally. Upvote 4 Downvote Responder Premiar Compartir 6 respuestas más Avatar de u/dangoodspeed dangoodspeed • hace 11 d Back in the 1990's when I learned how to build websites, it was from looking at the source code of other sites that had features I wanted to emulate. Looking at front-end source code is definitely nothing new. Upvote 4 Downvote Responder Premiar Compartir Mysterious-Silver-21 • hace 11 d This is a big old nothingburger. Plenty of companies with nothing to hide feel comfortable sending unobfuscated front end code, database connectivity and all. The company I work for, we explicitly leave comments and documentation in our html and vanilla js source files, so long as we respect the 14kb rule. It's design officially is to help contractors we onboard, but I'd be thrilled to one day get an email that helped someone learn something new or something. From where I'm standing, there are several good reasons to serve unobfuscated source code, and only two (bad), reasons to serve obfuscated code: lack of faith in your own security practices, and a failure to recognize loadtime/runtime as part of ux. Minification is a legit practice, and if implemented well can result in faster ux, but you're still serving your code to anyone malicious and skilled enough to parse through an obfuscated mess in either case. Upvote 4 Downvote Responder Premiar Compartir irukadesune • hace 10 d funny my forked repo got DMCA takedown notice Upvote 4 Downvote Responder Premiar Compartir 9 respuestas más Specav • hace 12 d Why does everyone have to “well actually” an interesting find from OP omg - this is cool to see! Upvote 9 Downvote Responder Premiar Compartir Gipetto • hace 12 d Thats how Javascript works, yes. Upvote 71 Downvote Responder Premiar Compartir Avatar de u/electricity_is_life electricity_is_life • hace 12 d Insignia de perfil para el logro 1% de más votados 1% de más votados You wouldn't typically publish TS types and comments and that sort of thing. Upvote 42 Downvote Responder Premiar Compartir 2 respuestas más Avatar de u/jacobp100 jacobp100 • hace 12 d Not exactly. You normally run code that's somewhat obfuscated from what you wrote. In development, you have something (a sourcemap) that undoes that so you can see your code as you wrote it - and they accidentally shipped the sourcemaps Upvote 39 Downvote Responder Premiar Compartir 7 respuestas más TheTomatoes2 • hace 12 d Web apps dont usually deploy the entire source code, including comments. Upvote 1 Downvote Responder Premiar Compartir 1 respuesta más wesborland1234 • hace 12 d Is this necessarily a bad thing? How many successful commercial products are open source or have a self hosted option? Presumably they didn’t expose any secrets or env files Upvote 8 Downvote Responder Premiar Compartir Avatar de u/rxliuli rxliuli OP • hace 12 d For other developers, it's certainly a good thing to see how Apple uses web frameworks like Svelte. I just checked the Devtools for fun and ended up discovering their source code. After inspecting with LLM, indeed no secrets were exposed. Upvote 1 Downvote Responder Premiar Compartir Altugsalt • hace 12 d php my beloved emoji:redditgold: what Upvote 23 Downvote Responder Premiar Compartir 1 respuesta más erishun • hace 12 d expert Insignia de perfil para el logro 1% de más votados 1% de más votados It’s front end, all code is always exposed. But it is interesting to see it unminified Upvote 3 Downvote Responder Premiar Compartir vidschofelix • hace 11 d Thank you! Yes, it's not a secret, but it's really interesting to see apples svelte source. Upvote 3 Downvote Responder Premiar Compartir maxktz • hace 11 d huge win for Svelte I guess Upvote 3 Downvote Responder Premiar Compartir UnhappyEnergy2268 • hace 11 d Lol, what is this sensationalist BS. Front end has always been "exposed" and you can't seriously implement security by obfuscation. Welcome to the internet Avatar de u/1982FenceHopper 1982FenceHopper • hace 11 d Thats js frontend code, its exposed for every website. Upvote 3 Downvote Responder Premiar Compartir Avatar de u/PaintingAvailable563 PaintingAvailable563 • hace 10 d I just got a dmca for forking the repo too 😂😂 if someone cloned it locally, please push it to a different name and share it with us 🙏 Upvote 3 Downvote Responder Premiar Compartir Avatar de u/bid0u bid0u • hace 10 d You're featured on 9to5mac: https://9to5mac.com/2025/11/04/web-app-store-front-end-source-code-github/ Upvote 3 Downvote Responder Premiar Compartir AloyHzD • hace 10 d Did anyone download it locally? Upvote 3 Downvote Responder Premiar Compartir 2 respuestas más hazily • hace 12 d • Editado hace 11 d [object Object] Tell me you don’t know about frontend development without telling me you don’t know about frontend development. This is just source maps being available so you’re seeing unobfuscated code. End of story. Upvote 13 Downvote Responder Premiar Compartir Avatar de u/retardedweabo retardedweabo • hace 11 d He doesn't claim it's a security issue but just a cool thing. Now we can see the exact modules they use, their exact file structure, every file in its place instead of obfuscated mess, developer comments and more. Upvote 4 Downvote Responder Premiar Compartir Avatar de u/ConfusedIlluminati ConfusedIlluminati • hace 12 d Apple makes a mistake Reddit hive mind: actuallllyyyy it is you who is wrong Upvote 2 Downvote Responder Premiar Compartir 4 respuestas más Potatopika • hace 12 d full-stack Thats a bug clearly. But it's not really that serious since you should always assume frontend code to be compromised since it's always running in the user. 🤷‍♂️ i would be shocked if there were api keys hard coded there foe example Upvote 12 Downvote Responder Premiar Compartir 2 respuestas más saposapot • hace 12 d And? inchereddit • hace 12 d It's like saying, I hacked NASA for taking a picture of the front of its building. iareprogrammer • hace 12 d What does the web version even do though? UpcomingFellow • hace 12 d Looks like this is fixed and not happening anymore Upvote 2 Downvote Responder Premiar Compartir Avatar de u/rxliuli rxliuli OP • hace 12 d Fortunately, I've already backed up the code on GitHub. Upvote 2 Downvote Responder Premiar Compartir 1 respuesta más adrianzz84 • hace 11 d ... So two is not even Upvote 2 Downvote Responder Premiar Compartir GoofAckYoorsElf • hace 11 d Upload it somewhere else. GitHub will remove it. Upvote 2 Downvote Responder Premiar Compartir Avatar de u/rxliuli rxliuli OP • hace 11 d You can do this anytime! Upvote 3 Downvote Responder Premiar Compartir dragonnik • hace 11 d But wondering one thing (haven't worked on svelte), shouldnt the app builder automatically take care of this? We use vite and it does this nicely Upvote 2 Downvote Responder Premiar Compartir Volkova0093 • hace 11 d If you ever feel insecure about your code, remember that big companies use messy code all the time. Upvote 2 Downvote Responder Premiar Compartir Avatar de u/rxliuli rxliuli OP • hace 11 d and // TODO: fix... Upvote 2 Downvote Responder Premiar Compartir hugazow • hace 11 d Op does not get web Upvote 2 Downvote Responder Premiar Compartir Avatar de u/Shot-Buy6013 Shot-Buy6013 • hace 11 d Lol it doesn't matter. How do you think your browser uses JS or CSS? They WANT the user to have it, that's the point of frontend code. Upvote 2 Downvote Responder Premiar Compartir Avatar de u/DepressedDrift DepressedDrift • hace 11 d If the backend server makes all the big decisions, can you really do anything malicious if the server only accepts an encrypted key as input to access sensitive functions? This is why you design your client to mainly interact with the user and retrive information for a backend program to evaluate. Upvote 2 Downvote Responder Premiar Compartir Avatar de u/QultrosSanhattan QultrosSanhattan • hace 10 d Nobody cares about frontend code. Upvote 2 Downvote Responder Premiar Compartir Avatar de u/zbp1024 zbp1024 • hace 10 d This is a major accident, but I don't think this code is useful for others. Upvote 2 Downvote Responder Premiar Compartir pinguluk • hace 10 d I just got a DCMA for forking the repo, lol Upvote 2 Downvote Responder Premiar Compartir 1 respuesta más Avatar de u/Consistent-Dust4170 Consistent-Dust4170 • hace 10 d And its gone Upvote 2 Downvote Responder Premiar Compartir 1 respuesta más Avatar de u/tomasvn tomasvn • hace 10 d Update: It is all down, guys we had fun :) https://github.com/github/dmca/blob/master/2025/11/2025-11-05-apple.md Upvote 2 Downvote Responder Premiar Compartir 1 respuesta más Avatar de u/GrapeJust3973 GrapeJust3973 • hace 10 d • Editado hace 9 d I missed the opportunity to clone the repository :( Can anyone share the source code? I am interested in Svelte and would like to see how it is used to build a corporate frontend (Already found it, thanks) Upvote 2 Downvote Responder Premiar Compartir 1 respuesta más Avatar de u/ContributionTop2930 ContributionTop2930 • hace 10 d Can somebody please share the code? I forked the repo and github took it down before I could clone it locally :( Upvote 2 Downvote Responder Premiar Compartir 3 respuestas más GodShadowPLS • hace 10 d someone has local download to share pls Upvote 2 Downvote Responder Premiar Compartir 8 respuestas más Avatar de u/CEOskydev CEOskydev • hace 10 d Git me .zip i learning Upvote 2 Downvote Responder Premiar Compartir 1 respuesta más m28k • hace 10 d :/ please upload zip somewhere. I have a thing for looking at big companies source-mapped fe js. GitHub got DMCAd edit: nvm, a github search for "apps.apple.com" got me it Upvote 2 Downvote Responder Premiar Compartir 2 respuestas más Easy_Milk_8985 • hace 9 d I think I can learn something from it Upvote 2 Downvote Responder Premiar Compartir Avatar de u/YaroslavPodorvanov YaroslavPodorvanov • hace 9 d Kind of an official announcement from Apple: Svelte is now production-ready. Some AI is probably already training on their accidentally published code. Upvote 2 Downvote Responder Premiar Compartir the_bieb • hace 12 d The inconsistent naming of the events bugs me. Upvote 4 Downvote Responder Premiar Compartir mxldevs • hace 12 d Confused. Isn't the front end source code always exposed to the browser? What makes this different? Are you able to reverse engineer the backend with it? Upvote 3 Downvote Responder Premiar Compartir Avatar de u/ChypRiotE ChypRiotE • hace 12 d Yeah this is always available, but most of the time obfuscated through minification. Sourcemaps were published so it was possible to de obfuscate it, but it's still the same code that runs in the browser. For some reasons OP thinks this is a big fuck up on apple's side and a big deal Upvote 1 Downvote Responder Premiar Compartir 1 respuesta más PublicBarracuda5311 • hace 11 d "forgot" means no one noticed because of too much vibes Upvote 3 Downvote Responder Premiar Compartir raccoonizer3000 • hace 11 d All the fanboyz saying this is not a mistake... but apple took it down in less that 10 hours ;) Thanks, OP, cool way to get into Svelte! Upvote 3 Downvote Responder Premiar Compartir Avatar de u/rxliuli rxliuli OP • hace 11 d fans: How could Apple possibly make a mistake? / Client-side code is not important. Upvote 1 Downvote Responder Premiar Compartir Avatar de u/hyrumwhite hyrumwhite • hace 12 d Every site reveals its source code. It’s not hard to pick through even obfuscated code. Upvote 4 Downvote Responder Premiar Compartir nnirmalll • hace 12 d I was interested in api/ but apparently No Content: https://apps.apple.com/api/csp-report It's just frontend so IMO I would say not a big deal. 2 respuestas más RedditParhey • hace 12 d ????? Avatar de u/rxliuli rxliuli OP • hace 12 d https://github.com/rxliuli/apps.apple.com 1 respuesta más Avatar de u/burnerguy43 burnerguy43 • hace 12 d The amount of scrubs here that think frontend = backend source code 🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🙁 🙄🔫 Upvote 3 Downvote Responder Premiar Compartir Avatar de u/Mafty_Navue_Erin Mafty_Navue_Erin • hace 12 d The web shouldn't have anything really important assuming they delegated to the backend all the business logic. Upvote 2 Downvote Responder Premiar Compartir Some_Ad_3898 • hace 12 d Can someone ELI5 why showing sourcemap config is potentially bad? Upvote 2 Downvote Responder Premiar Compartir assembly_wizard • hace 12 d Mostly because of comments, and rarely because of names or other things developers expect to be minified. If you wrote your site knowing that the source will be exposed then it's fine, but many developers I've met left sensitive info in comments of closed source projects. It might be full names, API keys, passwords, or public IPs of services for internal use only. As for variable names, this might be something like const enableProjectUltra = false which can leak sensitive info about the company. So the problem is exposing a part of the code that developers probably expected to stay private. If it's clear from the start that the code will be exposed, there's no problem. This is not just a web thing btw, the same is true for projects in C/C++/Rust/go/etc. For some reason most people in this thread seem to be ignoring this and choosing to laugh at OP instead. Upvote 3 Downvote Responder Premiar Compartir Avatar de u/Mr_JavaScripson Mr_JavaScripson • hace 12 d The only difference is that code with sourcemap config will be easier to read. OP thinks that the lack of minification and obfuscation makes the site more vulnerable. He does not understand that the sites of such serious organisations will be investigated by serious hackers (both white hats and not entirely law-abiding people). And they will not be lazy to investigate the obfuscated code. Upvote 2 Downvote Responder Premiar Compartir Specialist-Coast9787 • hace 12 d Uploaded 3 hours ago and 150+ forks. Nice work OP 💪🏾 Upvote 2 Downvote Responder Premiar Compartir Avatar de u/xadlowfkj xadlowfkj • hace 12 d Anyone who believes the title is incorrect should read this: https://www.gnu.org/philosophy/javascript-trap.en.html Even though Richard Stallman was cancelled, the points made by him and GNU remain valid. Upvote 2 Downvote Responder Premiar Compartir prodigy_xx • hace 11 d Frontend code is rarely groundbreaking or sensitive. It’s public code executed on the client, so it’s never truly safe - and developers know that. What matters is securing the server endpoints and properly authorizing every request. As long as that’s done, you can expose as much frontend code as you like. Upvote 2 Downvote Responder Premiar Compartir 1 respuesta más Avatar de u/hotpotato87 hotpotato87 • hace 11 d please get me source code of this https://www.apple.com/iphone-17-pro/ Upvote 2 Downvote Responder Premiar Compartir 1 respuesta más Moneysac • hace 9 d It was just taken down. We need another copy of the repository please. Upvote 2 Downvote Responder Premiar Compartir 1 respuesta más Avatar de u/cuntmong cuntmong • hace 12 d Apple is like the biggest tech company in the world and their app store is central to so much consumer technology and they're using Svelte. Can we finally put to bed the "We need to use React because its the only thing suitable for large projects" crap. Fuck React. Upvote 2 Downvote Responder Premiar Compartir 2 respuestas más h0usebr0k3n • hace 12 d You can do this on most websites Upvote 2 Downvote Responder Premiar Compartir Avatar de u/rxliuli rxliuli OP • hace 12 d Most websites actually don't include sourcemaps, so you can only see the minified JavaScript code. Upvote 3 Downvote Responder Premiar Compartir 3 respuestas más Avatar de u/CedarSageAndSilicone CedarSageAndSilicone • hace 12 d • Editado hace 12 d umm who cares? like, yeah, this is cool from a "lets see how they do it" perspective but from a "apple has been pwned" perspective - not really. Upvote 2 Downvote Responder Premiar Compartir makedaddyfart • hace 12 d It's front end code. Who cares. It goes to the browser anyways. Security through obscurity is not a thing Upvote 1 Downvote Responder Premiar Compartir Avatar de u/RemoteActivity RemoteActivity • hace 12 d I particularly enjoyed this comment complaining about Safari: /** We are using a currentStateId on this class to always store the state id instead of saving it on the window.history.state because there seems to be a bug in Safari where it is mutating the window.history.state to null after our Sign In flow which includes multiple iframes and multiple internal state changes inside the iframes. We can move back to window.history.state storing the id if the Safari Issue is fixed in future. */ Upvote 1 Downvote Responder Premiar Compartir Avatar de u/Mathematitan Mathematitan • hace 12 d This isn’t a complaint. This is what comments are for. Explain why it is the way it is and how to remediate it later without having to go digging for answers to questions you don’t have. Upvote 4 Downvote Responder Premiar Compartir 1 respuesta más Watermelonnable • hace 12 d frontend devs justifying their positions switching frontend tech just because Upvote 1 Downvote Responder Premiar Compartir lukematthew • hace 12 d If you've been building websites for 20+ years you'll know this isn't anything special 🤪 Client-side code is visible on the... client. Nothing sensitive should ever be there anyway. Upvote 1 Downvote Responder Premiar Compartir Avatar de u/False-Car-1218 False-Car-1218 • hace 12 d It's just client code and it doesn't really matter that people can access it, even if it was obfuscated, someone can still reverse engineer the code Ordinary_Squash7559 • hace 12 d This is common practice… nothing alarming here Upvote 1 Downvote Responder Premiar Compartir Avatar de u/coyote_of_the_month coyote_of_the_month • hace 12 d Publishing a frontend source map to prod is a great way to debug issues that only appear in prod. I think we should normalize the practice - if your frontend code is exposing security holes, you've got bigger problems. Upvote 1 Downvote Responder Premiar Compartir Sad-Amphibian-2767 • hace 12 d Not biggy, but a little bit funny for sure! Upvote 1 Downvote Responder Premiar Compartir psychedelictrance • hace 12 d Strange for Apple, but nothing new. Plenty of websites with ts/scss sourcemaps out there. Upvote 1 Downvote Responder Premiar Compartir isBot-True • hace 12 d probably enabled source maps by accident for production. but does it really matter? Upvote 1 Downvote Responder Premiar Compartir Brilliant-Kick2708 • hace 12 d This gave me an opportunity to compare the loading speeds of apple versus google play store. Svelte is actually kinda crazy how there's virtually no load between pages. Upvote 1 Downvote Responder Premiar Compartir knight04 • hace 12 d Thanks, I'm still kinda new to this and i love reading these to give me a better understanding and see if I learn something new. Avatar de u/Ok_Current5380 Ok_Current5380 • hace 12 d OP, your title is wrong, but your find is not without value, as many here say. Upvote 1 Downvote Responder Premiar Compartir Avatar de u/xadlowfkj xadlowfkj • hace 12 d Really? They use Svelte? That’s huge for me. Now I’ll try again to convince my company to use it. Upvote 1 Downvote Responder Premiar Compartir Avatar de u/rxliuli rxliuli OP • hace 12 d Yes, but interestingly, they're using the older version Svelte 4, not the latest Svelte 5. Upvote 1 Downvote Responder Premiar Compartir 1 respuesta más Avatar de u/wingardiumghosla wingardiumghosla • hace 12 d Not a web dev , can someone eli5 please Upvote 1 Downvote Responder Premiar Compartir eoThica • hace 11 d front-end Lol. It's just business logic. Who cares. Upvote 1 Downvote Responder Premiar Compartir DeifniteProfessional • hace 11 d Cool I'm not even a developer (just an ex hobbyist from wayback) and even I know this is literally a non issue Upvote 1 Downvote Responder Premiar Compartir that_one_retard_2 • hace 11 d “Exposes all its source code” lol web dev moment. They haven’t “exposed” their “source code”, it’s just not transpiled and obfuscated, but it wasn’t really hidden to begin with, nor is this code too relevant Upvote 1 Downvote Responder Premiar Compartir Avatar de u/Maxion Maxion • hace 11 d People are dicks, thanks OP for sharing! Upvote 1 Downvote Responder Premiar Compartir Reddet99 • hace 11 d Weather_Only • hace 11 d Which intern did this Upvote 1 Downvote Responder Premiar Compartir leshift • hace 9 d Did anyone downloaded the repo before it was taken down? I am very curious about this code! Upvote 1 Downvote Responder Premiar Compartir 2 respuestas más iMike_505 • hace 9 d Has anyone else downloaded the source code? 👽 Upvote 1 Downvote Responder Premiar Compartir 1 respuesta más Upper_Ad6637 • hace 9 d source code plsssss Upvote 1 Downvote Responder Premiar Compartir 1 respuesta más Avatar de u/todorpopov todorpopov • hace 12 d I’m actually at a loss for words. Are we serious right now? Has AI just eaten the brains of everyone at this point? Upvote 0 Downvote Responder Premiar Compartir StandWithHKFuckCCP • hace 12 d Where's OP's brain? Upvote 0 Downvote Responder Premiar Compartir FullSlack • hace 12 d This is why BEDs make fun of FEDs lol Upvote 0 Downvote Responder Premiar Compartir Avatar de u/digidavis digidavis • hace 12 d • Editado hace 12 d Nothing on the client side is safe. Nothing on the client side is safe. Nothing on the client side is safe. Nothing on the client side is safe. Nothing on the client side is safe. Feel free to repeat as much as necessary until you understand it, or until you fall victim to it. Minimizing or even compiling code does nothing to hide it functionality. Security through obscurity is no security at all! 1 respuesta más Avatar de u/Low-Win-6691 Low-Win-6691 • hace 12 d I guess the only thing minified is your stupid little nerd boners Epiq122 • hace 12 d that's all there source code eh ... ......... 1 respuesta más mbround18 • hace 12 d Your frontend is just a way for users to interface with your backend. All secure logic should be handled backend anyway so frontend code not being obfuscated doesn't matter. I prefer unobfuscated frontend code, it makes it easy for adaptations and injections Avatar de u/xFlyer409 xFlyer409 • hace 12 d Oh no they leaked their PLAY_STATES how can they possibly recover from this? DDFoster96 • hace 11 d Wow, we know that an LTR mark is \u200e 😱! Or that the constant PLAY is the string 'play'. Now I can hack the app store and get free apps. Avatar de u/vxmpxx vxmpxx • hace 12 d ggs TheTomatoes2 • hace 12 d So it's not just all good designers that left Apple, but also all good engineers. Mihikle • hace 12 d Example number 54 billion why leetcode isn't a good marker for a good engineer paulordbm • hace 12 d AnonymZ_ • hace 12 d Avatar de u/bid0u bid0u • hace 12 d • Editado hace 12 d That's interesting, thanks for sharing. To those who say it isn't a big deal, it could, not necessarily on a security level but on a modification level. One example: I'm skipping ads on a streaming platform that forces them by injecting some JS. If I had the sourcemaps, it'd have been a 5min job but with minification and obfuscation, it took me quite a long time to figure out what was what in the code and where I could circumvent it. Avatar de u/rxliuli rxliuli OP • hace 12 d Fortunately, LLMs are very good at analyzing compressed and obfuscated code, and you can give it a try as well. 2 respuestas más sneaky-pizza • hace 12 d rails Whooopsie Avatar de u/Toby-Query Toby-Query • hace 12 d In the current AI age, giving the source map doesn't make a difference dimonchoo • hace 12 d ripestmango • hace 12 d yikes! godhand_infamous • hace 12 d still there Avatar de u/deus_ith deus_ith • hace 12 d Ew. Bootstrap. Weird_Stomach_4455 • hace 11 d shotbyadingus • hace 11 d Yes, the multi trillion dollar company forgot to fix something before deploying to production. Good one Avatar de u/retardedweabo retardedweabo • hace 11 d Yes. They removed the source map after the discovery 2 respuestas más shamshuipopo • hace 11 d FE code is always already exposed lol ur browser downloads and runs it JimroidZeus • hace 11 d Ah, I see someone has recently discovered the web dev tools. Fun-Appointment-4629 • hace 9 d yo, can you reupload or dm me? I wanna take a look. 1 respuesta más ptrxyz • hace 9 d I wonder if anyone could dm me a link, someone must have checked it out before the take down... 1 respuesta más codernaut85 • hace 9 d All frontend code is already public. It is served to the browser or device. Nothing has been “exposed”. It’s just not minified. orion_lab • hace 12 d IAmRules • hace 12 d This is what happens when AI reviews take place of actual reviews. Avatar de u/Mexican_stoicism Mexican_stoicism • hace 12 d Typescript is the hard try to js to become in Java wavefunctionp • hace 12 d Do we tell him, guys? Avatar de u/Legitimate_Ride_3873 Legitimate_Ride_3873 • hace 10 d sonwhos gonna tell him? this is why university degree shoul be required to do this job Avatar de u/Abject-Bandicoot8890 Abject-Bandicoot8890 • hace 12 d How do you even ship the source code? 🤣 that’s what we have bundlers for iPetey • hace 12 d 😂😂😂😂😂😂😂😂 Avatar de u/iamatwork420 iamatwork420 • hace 12 d how many YoE do you have? _st23 • hace 12 d Avatar de u/NeedleworkerAble8199 NeedleworkerAble8199 • hace 12 d This may cause security issues [eliminado] • hace 12 d InflationUnable5463 • hace 12 d Avatar de u/klekmek klekmek • hace 12 d Homies still using Svelte4. I don't blame them either, the runes are hate/love Avatar de u/jacquesvfd jacquesvfd • hace 12 d Someone lmk if any funny comments are found in there 1 respuesta más XCSme • hace 12 d https://github.com/rxliuli/apps.apple.com/blob/main/src/App.svelte#L39 // The async IIFE allows this function to return synchronously. return (async (): Promise<Page> => { What? 3 respuestas más SR71F16F35B • hace 12 d Thank you for making a copy Santos_m321 • hace 12 d even Apple faces eslint-disable 😭 1 respuesta más vysmvm • hace 12 d How the hell did you extract that so fast? What'd you use? Avatar de u/rxliuli rxliuli OP • hace 12 d Save All Resources https://chromewebstore.google.com/detail/save-all-resources/abpdnfjocnmdomablahdcfnoggeeiedb Sgrinfio • hace 11 d Genuine question from a newbie developer, what's the porblem if it's client side code anyway? 1 respuesta más Avatar de u/merokotos merokotos • hace 11 d Tell me when ASO algorithms leak Avatar de u/thekwoka thekwoka • hace 11 d Looks like just source maps. firedogo • hace 11 d Is that good? That's good, right ?..... Right? Avatar de u/zhamdi zhamdi • hace 11 d Lol, this is a valuable source to get inspired by their styling and components. Should I add it to the https://svelter.me repo? What do you think? AwesomeFrisbee • hace 11 d Does this include the login page? Because it would be best if you don't include that into the source as it will make it easier for spammers and scammers to fake the login page of Apple Avatar de u/retardedweabo retardedweabo • hace 11 d redditors just want to make themselves feel smart dismissing this or just don't know what source maps truly do. Now we can see the exact modules they use, their exact file structure, every file in its place instead of obfuscated mess, developer comments and more. This is a very big deal rikzy75 • hace 11 d What framework were they using before? SveXteZ • hace 11 d Nice catch OP! P.S.: The Svelte developers would likely appreciate that Apple is using their framework. You might consider sharing your findings with them. Avatar de u/rxliuli rxliuli OP • hace 11 d Someone has already done this. https://www.reddit.com/r/sveltejs/comments/1onmeie/apples_new_app_store_site_is_built_with_svelte/ Avatar de u/eyebrows360 eyebrows360 • hace 11 d Why in the everliving shit would you upload something you believe to be some massive company's copyrighted code to GitHub?! Also, define "the" source code, because no. This isn't it. awesomeplenty • hace 11 d Bro just figure out chrome's developer setting 🤣🤣🤣 Avatar de u/legendary_anon legendary_anon • hace 11 d Okay, now armed with this juicy knowledge, can you add $5000 to my account and make everything free up there? Avatar de u/anosidium anosidium • hace 11 d It amazes me that you’ve got over 1.4k stars and 1.1k forks, the “source code” must be really important. ifOnlyFlamingo • hace 11 d What ide and color theme is this Avatar de u/Peloooopp Peloooopp • hace 11 d So from my understanding is worth learning svelte now**.** foresttrader • hace 11 d If I'm not mistaken, the way modern browser works is that a host sends all (frontend) code to user, and all that code runs in client sider browser. So you will be able to see all the code regardless. This is why never store credentials on frontend code, because its meant to be readable by others. Avatar de u/KindheartednessOk137 KindheartednessOk137 • hace 11 d Usually you deploy “converted” js code from typescript… but here source code typescript also 1 respuesta más Avatar de u/soylentgraham soylentgraham • hace 10 d this is how it's always worked Avatar de u/powerfuljack powerfuljack • hace 11 d It’s cool they moved over to Svelte dev-4_life • hace 11 d Avatar de u/morebob12 morebob12 • hace 10 d Omg bro you’re hacking them so much right now DefNotADeveloper • hace 10 d I am a bit shocked that people consider sourcemaps not a vulnerability from my experience one company i worked for got a CVE that was as a result of exposed source maps. Sanjuwa • hace 10 d how did you download it ? is there in chrome extension ? Avatar de u/theZozole theZozole • hace 10 d 7.7k forks in 2 days 🤣 patrys • hace 10 d full-stack First, it's nothing special. Second, it's still copyrighted and you don't have the rights to distribute it. Something being public does not magically make it public domain. Avatar de u/matieuxx matieuxx • hace 10 d A got DMCA takedown notice on the project… Avatar de u/vietnam_redstoner vietnam_redstoner • hace 10 d update 2 days later: apparently my fork received a DMCA but the linked repo is still up? edit: nvm browser cache Avatar de u/West-Grand2616 West-Grand2616 • hace 10 d Anyone who managed to download it, could you share it with me so I can better learn how to work with Svelte? :( 1 respuesta más bikini_bottomfrag • hace 10 d Just received the dmca takedown on the fork I could not cloned it.. Anyone have cloned it locally please share the link.. 2 respuestas más Avatar de u/Hakboy37 Hakboy37 • hace 10 d How do I get a copy now that GitHub has removed it? 2 respuestas más Avatar de u/whatstheplug whatstheplug • hace 10 d Did anybody keep a copy? I forked the repo because I really wanted to see how Apple writes their code but didn't load it to my local before the takedown of all forks :/ Avatar de u/whatstheplug whatstheplug • hace 10 d Tons of them are still there: https://github.com/search?q=apps.apple.com&type=repositories Avatar de u/Numerous-Type-6464 Numerous-Type-6464 • hace 10 d You prompted them to “fix” something that wasn’t broken which resulted in a net-negative for the community. Great job! prusync • hace 10 d OMG 😱, But it's good to see how Apple's developer writes code. Avatar de u/madmaxdev madmaxdev • hace 10 d its not there in github now, can you please share it in another way? 1 respuesta más lovelettersforher • hace 10 d lol Ver más comentarios Sección de información de la comunidad r/webdev Miembro webdev: reddit for web developers A community dedicated to all things web development: both front-end and back-end. For more design-related questions, try /r/web_design. Mostrar más Creada el 25 ene 2009 Público 685 mil visitantes semanales 9,7 mil colaboraciones semanales Etiquetas de usuario Avatar de u/quizman77 quizman77 Logros de la comunidad Veteranía Veteranía 1 reabierto(s) Ver todo Marcadores de comunidad Discord Twitter YouTube FAQs Reglas de r/webdev 1 No vague support questions about WYSIWYG editors or other software. 2 No memes, screenshots, and jokes 3 No self-promotion 4 No commercial promotions/solicitations 5 No soliciting feedback not on Saturday 6 Assistance Questions Guidelines 7 Career/Getting Started Questions Showoff Saturdays Work on something and want to share it? Showoff Saturdays are for you! Make a new post on Saturday and tag it [Showoff Saturday] and watch the views rise. Sharing your project, portfolio, or any other content that you want to either show off or request feedback on is limited to Showoff Saturday. If you post such content on any other day, it will be removed. Links Discord server Discord server Twitter account Twitter account YouTube channel YouTube channel Related Communites Icono de r/web_design r/web_design 938.148 miembros Icono de r/SaaS r/SaaS 451.262 miembros Moderadores Enviar mensaje a moderadores u/snissn expert u/julian88888888 emoji:snoo_dealwithit: Moderator Julian Avatar de u/aflashyrhetoric u/aflashyrhetoric front-end Avatar de u/so_much_reddit_T-T u/so_much_reddit_T-T emoji:snoo_dealwithit: Moderator Avatar de u/AutoModerator u/AutoModerator u/CherryJimbo James Ross Avatar de u/notcaffeinefree u/notcaffeinefree u/duckballista u/Gurgen emoji:snoo_dealwithit: Moderator Avatar de u/sleepy_roger u/sleepy_roger Ver todos los moderadores Reglas de Reddit Política de privacidad Acuerdo del usuario Accesibilidad Reddit, Inc. © 2025. Todos los derechos reservados. Contraer la navegación
Search
App Store source code exposure analysis
13 results
App Store filtrado
El usuario me ha pedido un análisis sobre el código filtrado de app.apple.com. El texto que ha proporcionado es una captura de pantalla de un hilo de Reddit (r/webdev) sobre este tema. Necesito analizar la situación basándome en tanto en el contenido del hilo como en la información que pueda encontrar en internet.
Primero, debo entender qué es exactamente lo que pasó:
  • Alguien descubrió que Apple había desplegado la nueva App Store web con los sourcemaps activados
  • Esto permitió descargar todo el código frontend (Svelte/TypeScript) directamente desde el sitio en producción
  • El usuario lo subió a GitHub, pero luego fue eliminado por DMCA
Ahora necesito buscar información adicional para hacer un análisis completo. Voy a buscar con las herramientas que tengo.
Clave: "App Store web source code exposed Apple"
Search
Apple App Store web source code sourcemaps
12 results
Apple expone frontend sin datos sensibles
Ahora tengo una buena cantidad de información de múltiples fuentes. Permíteme analizar todo esto para dar una respuesta completa al usuario.

Síntesis de la situación:

Qué sucedió:
  1. Apple lanzó una nueva interfaz web para la App Store (apps.apple.com)
  2. Olvidaron desactivar los sourcemaps en el entorno de producción
  3. Un desarrollador (rxliuli) usó herramientas de navegador para extraer todo el código frontend
  4. Lo subió a GitHub el 4 de noviembre de 2025
  5. Apple emitió un DMCA y GitHub eliminó 8,270 repositorios el 5-8 de noviembre
Qué se expuso:
  • Código fuente completo en Svelte/TypeScript
  • Lógica de gestión de estado
  • Componentes UI
  • Código de integración de API
  • Configuración de routing
  • Comentarios de desarrolladores (incluyendo referencias a tickets/issues internos)
Qué NO se expuso:
  • Código backend
  • Credenciales/API keys sensibles
  • Datos de usuarios
  • Lógica de negocio crítica del servidor
Reacción de la comunidad (según Reddit y otros medios):
  • Muchos desarrolladores dicen que no es gran cosa porque el código frontend siempre es público
  • Algunos ven valor educativo en ver cómo Apple estructura sus proyectos
  • Otros critican que Apple haya cometido un error básico
  • Debate sobre si la ofuscación es una medida de seguridad válida
Impacto real:
  • Seguridad: Mínimo (solo frontend)
  • Privacidad: Ninguno (no datos sensibles)
  • Propiedad intelectual: Apple actuó rápido con DMCA
  • Educación: Valioso para desarrolladores que quieren ver prácticas de una gran empresa
Ahora voy a estructurar mi análisis en varias secciones clave para dar una respuesta completa y educativa.

Análisis del "Filtrado" de Código de la App Store Web de Apple

Resumen Ejecutivo

El 4 de noviembre de 2025, Apple lanzó una nueva interfaz web para la App Store (apps.apple.com) con un error de configuración crítico: los sourcemaps permanecieron activados en producción. Esto permitió que cualquier persona con herramientas de desarrollo accediera al código fuente completo del frontend, que fue archivado en GitHub antes de que Apple emitiera una masiva solicitud DMCA para eliminar 8,270 repositorios el 8 de noviembre.
Este incidente no representa una brecha de seguridad real, pero sí ofrece una visión excepcional de las prácticas internas de desarrollo de una de las empresas más secretas de la industria tecnológica.

¿Qué Sucedió Exactamente?

El Mecanismo Técnico

Los sourcemaps son archivos que mapean el código minificado/obfusficado de producción al código fuente original. Son herramientas de depuración esenciales en desarrollo, pero deben desactivarse en producción por buenas prácticas.
Secuencia de eventos:
  1. Apple desplegó la nueva App Store web con Svelte/TypeScript
  2. Olvidaron desactivar la generación de sourcemaps en el build de producción
  3. El desarrollador rxliuli usó una extensión de Chrome ("Save All Resources") para extraer automáticamente todos los archivos fuente
  4. Publicó el repositorio en GitHub con el título "App Store web has exposed all its source code"
  5. La comunidad hizo más de 8,000 forks en cuestión de horas
  6. Apple respondió con una solicitud DMCA el 5 de noviembre
  7. GitHub eliminó toda la red de repositorios el 8 de noviembre
Clave: No hubo "hackeo" ni vulnerabilidad. El código fue accesible públicamente porque Apple lo sirvió así.

Contenido del "Filtrado"

Lo Que Se Expuso (Frontend Únicamente)

  • Código completo en Svelte 4 y TypeScript
  • Componentes UI con estructura de carpetas completa
  • Lógica de gestión de estado (state management)
  • Configuración de routing
  • Integración con APIs públicas
  • Comentarios de desarrolladores con referencias a tickets internos y bugs conocidos
  • Decisiones de arquitectura y patrones de código

Lo Que NO Se Expuso (Crítico)

  • Código backend o lógica del servidor
  • Credenciales, API keys o secretos (según análisis, no había información sensible)
  • Datos de usuarios o información privada
  • Algoritmos propietarios del App Store
  • Infraestructura o configuraciones de servidor

Perspectiva de Seguridad: ¿Es Grave?

La Postura Mayoritaria de la Comunidad (r/webdev)

"No es un problema real de seguridad" argumentan expertos, basándose en:
  1. El código frontend siempre es público: El navegador debe descargarlo para ejecutarlo
  2. Ofuscación ≠ Seguridad: Un código minificado no es seguro, solo es más difícil de leer
  3. No expuso lógica crítica: La seguridad real reside en el backend, no en el frontend
  4. Mejores prácticas modernas: "No hagas nada en el cliente que no quieras que alguien vea"

Riesgos Reales (Aunque Limitados)

  1. Exposición de comentarios internos: Podrían contener nombres de sistemas internos, referencias a bugs no públicos o decisiones de negocio
  2. Fácil análisis de vulnerabilidades: Ataques dirigidos pueden identificar patrones de código potencialmente vulnerables más rápido
  3. Competencia tecnológica: Rivales pueden ver exactamente qué frameworks y patrones usa Apple
  4. Clonado de UI: Facilita la creación de interfaces fraudulentas que imiten fielmente la original

Cita Clave

"Frontend code is always exposed. Obfuscation is not security. Remember, nothing on the client side is safe." - Usuario de r/webdev

Valor Educativo: El Lado Positivo

Este incidente ofreció una ventana única a las prácticas de ingeniería de Apple:

Aspectos Interesantes Revelados

  1. Uso de Svelte 4: Confirma que una Big Tech adopta frameworks "menos mainstream" (no React/Vue) para proyectos críticos
  2. Estructura de proyecto a escala: Cómo organizan componentes en aplicaciones grandes
  3. Patrones de TypeScript: Implementaciones reales en código de producción
  4. Gestión de bugs: Comentarios como // TODO: fix... y referencias a issues de Safari muestran que Apple lidia con los mismos problemas que otros desarrolladores
  5. Decisiones arquitectónicas: Elección de librerías, manejo de estado, etc.

Reacción de la Comunidad

"It's really nice to see how a big company like Apple writes and architectures their frontend... This gives anyone interested a temporary view of how a major firm structures a large web interface." - Usuario de r/webdev

Respuesta de Apple

Acción Rápida y Masiva

Apple no tomó el incidente a la ligera:
  • DMCA el 5 de noviembre (24-48 horas después)
  • 8,270 repositorios eliminados incluyendo todos los forks
  • GitHub cumplió completamente con la solicitud
  • Código desactivado en producción (sourcemaps ya no disponibles)

Paradoja de Streisand

Aunque legalmente correcta, la acción de Apple creó un efecto contrario:
  • Múltiples usuarios ya habían clonado el repositorio localmente
  • El código seguirá circulando en foros, Discord y otros hosts
  • El DMCA convirtió un incidente menor en noticia global
  • Generó más interés del que hubiera tenido si se hubiera ignorado

Lecciones Clave para Desarrolladores

1. Configuración de Build es Crítica

bash
Copy
# En Vite/SvelteKit
vite build --sourcemap=false

# En webpack
devtool: false # o 'hidden-source-map' para privados
Nunca dejes sourcemaps públicos en producción a menos que sea estrictamente necesario.

2. Seguridad por Diseño

  • Nunca confíes en la ofuscación para proteger lógica sensible
  • Siempre asume que el código cliente será leído y analizado
  • Mantén la lógica crítica en el servidor
  • Revisa comentarios antes de commit (no pongas secrets ni info interna sensible)

3. Balance Depuración vs. Exposición

Si necesitas debuggear producción:
  • Usa "hidden-source-map": solo accesible con autenticación
  • Implementa source maps privados: sirve solo a IPs internas/VPN
  • Usa herramientas como Sentry que gestionan sourcemaps seguros

4. Cultura de Código

El incidente reveló TODOs y comentarios vagos que también existen en Apple:
TypeScript
Copy
// TODO: fix...
// FIXME: Safari bug with history.state
Mensaje: Todos los equipos, incluso en Apple, tienen deuda técnica y comentarios incompletos.

Opiniones de la Comunía: Dos Polos

Polo 1: "No es Gran Cosa" (Mayoría)

  • "This is not exposing any additional logic. Obfuscation is not security." - 2.6k upvotes
  • "Frontend code is always exposed. You can always deobfuscate minified JS."
  • "The real moat is backend logic, not UI components."

Polo 2: "Tiene Valor Informativo"

  • "It's nice to see how Apple architectures their frontend... gives a view of how a major firm structures large interfaces." - 108 upvotes
  • "Now we can see exact modules, file structure, comments... This is a very big deal for learning."
  • "Confirma que Svelte está ready para producción a escala empresarial."

Conclusión

Gravedad Real: ✕ Mínima

  • Seguridad: No se comprometió información sensible
  • Privacidad: No se filtraron datos de usuarios
  • Operacional: Riesos limitados a exposición de UI

Impacto Sísmico: ✓ Alto en Transparencia

Este incidente representa:
  1. Un error humano básico en una empresa con procesos ultra estrictos
  2. Una ventana educativa única a prácticas de ingeniería de Apple
  3. Validación de Svelte como framework empresarial
  4. Un recordatorio universal: La seguridad no vive en el frontend

Recomendación Final

Para desarrolladores junior que se están formando: este es un tesoro educativo. Para equipos senior: una llamada de atención sobre los básicos. Para Apple: un recordatorio humilde de que los mejores procesos pueden fallar.
"It seems Apple left the code there for someone to find... Perhaps the biggest mistake was Apple's overreaction through DMCA, turning a minor incident into permanent internet folklore." - Análisis de tech media

Fuentes

  • Reddit r/webdev - Hilo original y comentarios
  • TechRadar - "A rare Apple slip exposes complete web App Store front-end structure"
  • 9to5Mac - "Apple accidentally leaks new web App Store front-end source code"
  • AppleInsider - "Apple inadvertently leaked front-end source code"
  • Securityonline - "Apple Forces GitHub to Delete 8270 Repositories"
  • heise online - "Apple puts entire App Store on the web