#indiewebcamp 2015-08-28

2015-08-28 UTC
rMdes joined the channel
#
@InramsT Piwik Is An IndieWeb Alternative To Google Analytics - http://www.inramstechnology.com/piwik-is-an-indieweb-alternative-to-google-analytics/ (twitter.com/_/status/637053357878677504)
#
tantek ben_thatmustbeme++ your /activity page is looking great
#
Loqi ben_thatmustbeme has 110 karma
#
kylewm ben_thatmustbeme: the float makes it wrap oddly in my firefox -- looks much better without .h-entry time { float:left; }
#
kylewm ah, it's because something is blocking the facebook avatars
#
KartikPrabhu kylewm: adblock pro most likely
#
KartikPrabhu there is a default "social" blocking list in there
#
kylewm (still think it looks better without the float :P)
tantek, mlncn, benwerd, shiflett, zz_tridnguyen, Kongaloosh, voxpelli_, sensiblemn, Unifex and mblaney joined the channel
#
mblaney hi all
#
mblaney I've been reading about indie-config, which is really cool.
halorgium, reidab and minsky joined the channel
#
mblaney I took some steps to register a protocol handler, added <indie-action> tags to some links, and then waited for the magic to happen....
#
mblaney :-)
#
mblaney then after some more reading, I realised <indie-action> requires the shim that indie-config supplies.
#
mblaney so I'm wondering why people would add <indie-action> tags without the shim? are they waiting for web components to handle it for them?
niamu joined the channel
#
kylewm mblaney: indie-actions actually predated the indie-config shim by quite a while. there is a browser extension that works with them https://github.com/barnabywalters/web-action-hero-toolbelt
#
kylewm (they used to just be called <action> until someone -- adactio i think -- pointed out that web components need to be hyphenated)
#
mblaney aaah nice. thanks kylewm! another piece of the puzzle.
#
mblaney do you know if the browser extension gets preference of the javascript shim?
#
mblaney s/of/over
#
Loqi mblaney meant to say: do you know if the browser extension gets preference over the javascript shim?
#
kylewm that's a great question, noooo idea :)
ScruffyDan, indie-visitor, glennjones, shiflett, loic_m, yoroy, eschnou, friedcell, almereyda, benborges, hidgw and tantek joined the channel
#
Jeena Zegnat, yep, the names are right, thanks!
benborges, tantek and pfefferle joined the channel
#
pfefferle good morning all
#
@reinergaertner spannend. Facebook, Google&co. werden ein solches Web nicht wollen. Gerade deswegen unterstützenswert #indieweb http://rgae.de/40?utm_content=buffer336b8&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer (twitter.com/_/status/637179334579613696)
pfefferle, lewisnyman and friedcell joined the channel
#
tantek wow - another reason to switch to https always - AT&T hotspot ad injection into http sites: http://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/
pfefferle, tvn and pfefferl_ joined the channel
#
tantek anyone here using CSP?
#
tantek what is CSP?
#
Loqi It looks like we don't have a page for "CSP" yet. Would you like to create it? http://indiewebcamp.com/s/1029
#
tantek.com created /CSP (+37) "r" (view diff)
#
tantek what is XSS?
#
tantek what is CORS?
#
Loqi It looks like we don't have a page for "XSS" yet. Would you like to create it? http://indiewebcamp.com/s/102A
#
Loqi CORS is an acronym for "cross-origin resource sharing," a mechanism for allowing browsers to make JavaScript requests to fetch resources from other domains https://indiewebcamp.com/CORS
#
tantek wat
#
tantek.com edited /CSP (+0) "use literal HTTP header name" (view diff)
j12t, pfefferl_ and pfefferle joined the channel
#
tantek goes down the Content-Security-Policy rabbithole
pfefferle joined the channel
#
tantek continues descending and finds himself re-assessing /auto-link and /auto-embed implied policy decisions
#
tantek both YouTube and Vimeo redirect to https. Youtube has a "http:" rel-canonical, while Vimeo has "/" relative rel-canonical (thus implied "https:" canonical by the redirect)
#
tantek I'm considering always upgrading http: youtube and vimeo links to https: links (and embeds when requested) in CASSIS auto_link
#
myfreeweb consider always upgrading links that match the HTTPS Everywhere rulesets
#
myfreeweb https://www.eff.org/https-everywhere/rulesets they're just xml
#
myfreeweb https://github.com/EFForg/https-everywhere/tree/master/src/chrome/content/rules
j12t joined the channel
#
tantek myfreeweb: for now I'm only consider the existing hardcoded domains in cassis.js auto_link
#
tantek but yes - your general approach makes sense
minsky, Unifex, MrClaw, MylesBraithwait-, Nowaker, anm, reidab, halorgium, sensiblemn, Kongaloosh, KartikPrabhu, tommorris and jonnybarnes joined the channel
#
tantek.com created /Content-Security-Policy (+1431) "stub with examples, including what I intend to use (and examples that build up to it)" (view diff)
#
tantek myfreeweb: take a look and please review: https://indiewebcamp.com/Content-Security-Policy
reidab, halorgium, sensiblemn, Kongaloosh, KartikPrabhu, tommorris, jonnybarnes and pfefferle joined the channel
#
myfreeweb this should mention unsafe-inline and data: URIs
#
myfreeweb http://content-security-policy.com is a great reference
#
myfreeweb hmmmm what's child-src? never heard of it
j12t joined the channel
#
myfreeweb there's frame-src
#
unrelenting.technology edited /Haskell (+413) "/* Libraries */ more" (view diff)
modem_, pfefferle and LanceyWork joined the channel
#
unrelenting.technology edited /xss (+1121) "Add definition, libraries, link to CSP" (view diff)
pfefferle joined the channel
#
unrelenting.technology edited /xss (+114) "Add link to node-webmention-testpinger" (view diff)
modem and frzn joined the channel
#
tantek myfreeweb: https://w3c.github.io/webappsec/specs/content-security-policy/#directive-child-src
#
myfreeweb that's a recent editor's draft, i'm not sure this directive is implemented anywhere
#
myfreeweb anyway, you don't need to allow web workers from youtube and vimeo, only frames
#
tantek true!
pfefferle joined the channel
#
tantek frame-src is deprecated http://www.html5rocks.com/en/tutorials/security/content-security-policy/
#
myfreeweb oh
j12t joined the channel
#
@neinasaservice @zebel Naja, indieweb Mails :D (twitter.com/_/status/637225112593428480)
#
tantek.com edited /Content-Security-Policy (+352) "CSP2 spec reference, html5rocks article" (view diff)
pfefferl_ joined the channel
#
@awoods @ryancduff @mor10 we need a new way. Have you heard of the indie web? http://Indiewebcamp.com (twitter.com/_/status/637228993540853760)
pfefferle, pfefferl_, nedorito, friedcell, BjornW, mlncn, j12t and nitot joined the channel
#
nitot hi tantek! :D
#
tantek nitot++ !!!
#
Loqi nitot has 1 karma
#
tantek.com edited /block (+30) "/* See Also */ report abuse" (view diff)
pfefferle joined the channel
#
tantek.com edited /report_abuse (+11) "/* See Also */ shun" (view diff)
#
tantek.com edited /spam (+31) "/* See also */ block / abuse" (view diff)
#
tantek.com edited /shun (+76) "mute, linky, see also" (view diff)
#
tantek back to CSP
Pierre-O joined the channel
#
GWG pfefferle: I just commented on Semantic Linkbacks Issue #35. Curious what you think.
#
pfefferle GWG it is indeed curious
#
pfefferle GWG will run some tests with the email plugin
#
pfefferle GWG perhaps there are some strange race conditions
#
GWG pfefferle: There are two ways for it to be better. Either Semantic Linkbacks permanently changes the comment_text instead of using a filter or uses the notification_text filter to edit the notification output
#
GWG The notification functiosn use the raw comment_text without a filter
#
pfefferle GWG but this can't be the problem, because the comment-text is never completly empty
#
GWG pfefferle: The other plugin was blanking it out.
#
pfefferle GWG the email plugin? why?
#
GWG I looked at the code for it. To get 'nicer' emails it wraps the output from the functions as opposed to generating custom notification code.
#
pfefferle GWG ok, but the comment-text is not empty, the webmention plugin always adds some text that is saved in the db
#
pfefferle GWG it is not perfect, but it is set!
#
pfefferle GWG so this can't be the main problem
#
GWG pfefferle: My position is that there isn't a problem that wasn't there before.
#
GWG The comment notification email was messed up before the change, and is still messed up after the change, but at least now the comment author shows correctly, which is useful.
#
pfefferle GWG agreed, the email text shouldn't be completely empty, so I think this might be a bug in the email plugin
#
GWG pfefferle: When he turned it off, he got the comment I got in testing.
#
pfefferle GWG strange...
#
GWG pfefferle: Maybe I should write a simple plugin called Better Semantic Linkbacks Notification Emails that uses the prettified versions. Not sure that belongs in the main plugin
#
pfefferle GWG what do you mean with prettified version? saving the content to the DB, using the classic notification hooks or using the custom hooks of the email plugin?
#
GWG Saving the content to the database
#
pfefferle this would be very sad, because it would lower the possibilities
#
pfefferle GWG hmmm, I should really have a look at that notification stuff...
#
pfefferle GWG ah ok, there might be cases that the comment might be empty... have to have a more detailed look at the webmention plugin...
j12t joined the channel
#
GWG pfefferle: I agree with not saving to the database.
#
tantek indeed
#
tantek ;)
#
GWG pfefferle: I will see about writing code for better display. I tried that, if you recall. I thought it was too much
pfefferl_, pfefferle and benborges joined the channel
#
pfefferle GWG it would be nice if we could reuse the functions to replace the content, to replace the email content
#
GWG pfefferle: The filter available filters the entire text, not just the comment output.
#
GWG So we'd have to generate an entirely new email text to address
#
GWG That is the code I put in the pull request.
#
pfefferle GWG there is really no simpler way?
#
GWG pfefferle: I am thinking of submitting a ticket to WordPress about it
#
GWG https://core.trac.wordpress.org/ticket/33587
#
GWG I was submitting multiple tickets about it when I left
#
pfefferle GWG not that deep into the notification stuff that I perhaps should be ;)
#
GWG This was the only one that I finished
#
tantek is naming another URL piece related function and making the problem worse.
#
tantek this problem: https://twitter.com/t/status/637247235378561024
#
@t Four years (+2d) ago: How many ways can you slice a URL & name the pieces? http://tantek.com/2011/238/b1/many-ways-slice-url-name-pieces #xkcd927 #standards (ttk.me t4cv1) (twitter.com/_/status/637247235378561024)
#
pfefferle GWG ah ok, had a quick look at the code and now I can understand why you did, what you did... this is really not perfect :(
pfefferl_ and pfefferle joined the channel
#
tantek just named a new cassis function relative_uri_hash as the least divergent/bikeshedding / maximum term re-use alternative he could think of for "everything in the URL after the protocol". :/
#
voxpelli real classic that URL-post :)
pfefferle, j12t, eschnou, glennjones and snarfed joined the channel
#
GWG pfefferle: Not sure there is a better way
#
pfefferle GWG currently not, as far as I can see
#
tantek voxpelli: the sad part is I am STILL running into the problems documented in that post
#
pfefferle GWG I added a comment to your bug request
#
tantek ok looks like https upgrading of vimeo and youtube links is working in cassis locally so...
#
tantek live on tantek.com. seems to work fine.
pfefferle and eschnou joined the channel
#
tantek and my GitHub app is in a odd state of not running, and yet when I right-click on it in the dock, it shows current projects as it if was open. hmm.
snarfed, fourtonfish, eschnou, pfefferl_, pfefferle, j12t and glennjones joined the channel
#
tantek.com edited /next-hwc (+0) "next one is in two weeks!" (view diff)
#
tantek !tell rhiaro HWC Edi next week? https://indiewebcamp.com/events/2015-09-03-homebrew-website-club
#
Loqi Ok, I'll tell her that when I see her next
#
tantek.com edited /Main_Page (+24) "/* Homebrew Website Club */ update next dates" (view diff)
mlncn and pfefferle joined the channel
#
GWG pfefferle: I may bump up a proof of concept plugin for improving notifications.
yoroy and benwerd joined the channel
#
tantek.com edited /Events (+2170) "move this week's to recent, markup two weeks from now, add stubs for Nov, Dec HWC. add socialwg f2f" (view diff)
#
tantek has climbed up out of various nested rabbitholes back to the CSP rabbithole and is ready to try it on his site.
pfefferle and indie-visitor joined the channel
#
Loqi Welcome, indie-visitor! Set your nickname by typing /nick yourname
#
tentonbricks Good morning, all.
#
GWG Morning
#
tantek well this is interesting, in testing my CSP header on my *local* version of my site, I see that what I put breaks mystyling
#
tantek thus wondering, where are my style sheets coming from ...
#
aaronpk do we need to set up https on your local site?
pfefferle joined the channel
#
tantek no, CSP does not require https
#
kylewm !tell elliottucker it looks like your ssl certificate on elliottucker.net expired
#
Loqi Ok, I'll tell them that when I see them next
#
tantek aaron background: /CSP
#
tantek huh style-src ok then
#
aaronpk oh. /me reads
#
aaronpk interesting
#
voxpelli aaronpk: how do you handle the fact that Quill sometimes sends you html and sometimes plain-text?
#
aaronpk voxpelli: I was just thinking about that
shiflett joined the channel
#
aaronpk I'm pretty sure I'm going to change the way it sends html
#
voxpelli I'm thinking I would want to treat html as html and convert it to markdown while I would want to treat plain text as markdown
#
aaronpk interesting
#
voxpelli (and yes, I'm aware that markdown is controversial – but it's what I use elsewhere on my blog so makes it more consistent)
#
aaronpk I often write blog posts in markdown, but my notes are just plaintext
#
aaronpk and sometimes I use html in blog posts, but technically that also counts as markdown
#
tantek the fact that you have to distinguish "markdown" from "just plaintext" means markdown has failed its first principle
#
aaronpk not really
#
tantek yes pretty much
#
voxpelli for me plaintext == markdown
#
aaronpk with my plain notes, I don't want any processing of the text
#
aaronpk (beyond autolink)
#
tantek see I tried that and it doesn't work
#
voxpelli autolink + auto-paragraphs is what I want
#
tantek because then you auto-embed
#
tantek and yes, as voxpelli auto-paragraphs
#
tantek and before you know it, you're building a subset of auto-markdown
#
aaronpk I don't autoembed, I put those things at the end of the post outside the content
#
voxpelli the problem with not being able to distinguish between html and plaintext/markdown is that auto-paragraphing becomes impossible
#
aaronpk yes and properly escaping is impossible
#
aaronpk when I type <b> in a note, I want it to be rendered as &lt;b&gt;
#
voxpelli aaronpk: there was some discussion about whether to make html in micropub map to the "e-content" style – right?
#
aaronpk but if I type <b> in a article, I want it to literally be <b>
#
aaronpk so yeah if we look at how microformats handles this, it's p-content vs e-content
#
aaronpk with p-content, there is only a string value, but with e-content there's an object with "html" and "value" properties
#
voxpelli and micropub should pretty much be JSON/form-data -> microformats while a microformats parser is the reverse
#
aaronpk so basically i'm thinking micropub clients should send "content":{"html":"<b>Hello World</b>"} if they want to send html content
#
voxpelli +1
pfefferle joined the channel
#
voxpelli I wonder how much of a breaking change that will be in the community
#
tantek 'unsafe-inline' heh
#
aaronpk otherwise "content":"<b>Hello World</b>" should be interpreted as plaintext and the website should render those as escaped html tags &lt;b:gt;Hello World&lt;/b:gt;
#
voxpelli aaronpk: very much +1 on that
#
aaronpk cool
#
tantek voxpelli: it is solved with p-content vs e-content
#
tantek that was the big debate of last week
#
voxpelli so hard to keep up with discussions :/
#
tantek it drove me to write a new auto_space() function specifically to convert whitespace into markup
#
voxpelli can't we fundraise a community blogger that blogs small focused updates? ;)
#
tantek (open source in cassis if you like)
#
voxpelli tantek: do you publish cassis-methods as npm modules?
#
voxpelli because they are js - right?
#
aaronpk or syndictate updates like that to indienews!
#
tantek aaronpk, yes on micropub clients *must* send content: ... html: ... etc.
#
tantek voxpelli: they are js yes
#
tantek I don't know how to publish cassis as an npm module
#
tantek pretty sure we solved all the auto-space/para and auto-escape issues with the white-space discussion last week
#
voxpelli tantek: you have a package.json so I think "npm login" and "npm publish"
#
aaronpk so if I go change Quill to do this right now, what will happen is it will definitely break people using the quill html editor
#
voxpelli tantek: + adding a node.js module wrapper around the code
#
aaronpk and I have a feeling most peoples' micropub endpoints are not escaping plaintext content, since that's basically how the html editor was able to get html to show up on ppls' sites
#
voxpelli tantek: I can make a PR for the wrapper if you want?
#
tantek voxpelli: sure! be sure to edit the contributors file as part of your PR
#
tantek I think some other packaging thing is in there too that someone else did
#
tantek maybe barnaby?
#
voxpelli aaronpk: make it as a propertly like you did in OwnYourGram?
#
tantek because cassis is both JS and PHP, it has lots of packaging potential
#
aaronpk omg I already did a whole writeup of this http://indiewebcamp.com/Micropub-brainstorming#HTML_Escaping
#
aaronpk voxpelli: yeah I could make it an opt-in change
#
aaronpk don't know how i completely forgot i had added that to the wiki a month ago
#
voxpelli tantek: looks like there's already an export of some methods: https://github.com/tantek/cassis/blob/master/cassis.js#L337
#
voxpelli so just adding more to that list would be enough
#
tantek cool - add what you need!
#
voxpelli tantek: guide on how to publish then: https://docs.npmjs.com/getting-started/publishing-npm-packages
#
tantek aaronpk - hence why it's always good to check the wiki first - you may find that your past self put something there ;)
#
voxpelli one can also set it up so that eg. Travis CI auto-publishes
#
tantek voxpelli: I don't use Node so I'm not worried about how to publish them
#
tantek I'm happy to accept PRs for folks that do however!
#
tantek ok CSP is non-trivial
#
voxpelli tantek: I can help with publishing then if anyone feels a need for it – I will see if I make use of the methods myself
#
tantek great!
pfefferle joined the channel
#
voxpelli aaronpk: I will go ahead and adapt my endpoint module to the html attribute then
#
aaronpk great
friedcell joined the channel
#
aaronpk issue filed https://github.com/aaronpk/Quill/issues/27
#
voxpelli aaronpk: shouwl one support anything else but the "html" attribute – like if the "html" isn't there, should one pick "value" or should one expect that if it's an object then there's always supposed to be an "html" property?
#
aaronpk for now I think if it's an object there should always be an "html" property
#
aaronpk oh hm, actually..
#
aaronpk microformats fallback rules would say to use the value as plaintext if you don't recognize the object
#
aaronpk that seems better. so the code would look for content.html, content.value, content
friedcell1 joined the channel
#
voxpelli +1, I'll do that
wolftune joined the channel
#
tantek yes! re-use of existing rules!
#
tantek got my CSP working across Firefox, Chrome, Safari!
#
tantek time to ship and see if it breaks IE >:D
pfefferle joined the channel
#
tantek time to share my CSP directive to the wiki I suppose
#
tantek or ship first?
#
voxpelli aaronpk: shipped: https://github.com/voxpelli/node-format-microformat/blob/master/CHANGELOG.md#050-2015-08-28 :)
#
tantek and CSP is live on my site
#
tantek goes to edit wiki
#
voxpelli a perfect friday evening!
#
aaronpk voxpelli++
#
Loqi voxpelli has 41 karma
#
KevinMarks hm, what does auto_space do about tabs?
#
tantek tabs are dead to me :P
#
tantek which is to say, auto_space does nothing to tabs. per ignore things you don't care about. :)
#
aaronpk wow, I didn't realized CloudFlare is effectively a free and easy way to get an SSL cert
#
oddvar KevinMarks, inserts spaces instead, no?
#
tantek code is short enough to read that
#
tantek if you use tabs in your HTML source, you're going to have a bad time
#
KevinMarks I know you don't approve of them, wondering about people on the tabs side of the debate and what they expect to happen
#
KevinMarks it is hard to type them in html forms, true
#
kodfabrik.se edited /Micropub-brainstorming (+318) "Add note on content.value" (view diff)
#
voxpelli aaronpk: took a stab at documenting the content[value] fallback
#
aaronpk tx
#
tantek voxpelli++
#
Loqi voxpelli has 42 karma
#
tantek KevinMarks: currently there are zero people who publish plain text content with tabs and expect it to "work" with white-space:pre-wrap
j12t joined the channel
#
tantek if you find some, you may document them in https://indiewebcamp.com/note#IndieWeb_Whitespace_Examples
#
tantek I don't care about people on the "tabs side of the debate" who are not actually using tabs as part of presentational whitespace on their own site.
#
KevinMarks fair
#
tantek Once they ship, then we can consider. Until then, they can debate amongst themselves in email.
ttepasse joined the channel
#
tantek.com edited /Content-Security-Policy (+1965) "why, how to, indieweb examples, add mine, with documentation" (view diff)
cleverdevil joined the channel
#
tantek ok, fully documented the /CSP I deployed with reasons why for each directive
#
tantek !tell snarfed, kylewm as https / security experts I would appreciate your review of https://indiewebcamp.com/Content-Security-Policy (just created today) and if you like, my CSP deployment in particular to make sure I'm not giving bad advice to people. Thanks!
#
Loqi Ok, I'll tell them that when I see them next
#
myfreeweb why are you using twitter's javascript? does it even do anything?
#
myfreeweb i see the same behavior of reply/retweet/like buttons with and without javascript on your site
#
GWG I have too many things that I want to do
fkooman joined the channel
#
Loqi [mention] Ryan Barrett liked http://indiewebcamp.com/Bridgy https://webmention.io/notification/KeiKF4Mr5wjch06EmYMGRw
snarfed joined the channel
#
tantek myfreeweb: for the "Tweet" buttons on my blog posts with tweeted counts
#
tantek I should detail that
#
tantek.com edited /Content-Security-Policy (+96) "/* Tantek */ note twitter frame/script for tweet button with tweeted count only, and frame-src is also needed for current Microsoft Edge" (view diff)
#
tantek myfreeweb++ thanks for the CSP review and questions!
#
Loqi myfreeweb has 5 karma
benwerd, benwerd_ and stream7 joined the channel
#
myfreeweb Safari: Refused to load the script 'http://platform.twitter.com/widgets.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' https://platform.twitter.com".
#
myfreeweb it's included with "//"
#
tantek weird
#
myfreeweb your site is not https
#
tantek right
#
myfreeweb result: it tries to load them from http
#
tantek now checking to see if that's my fault (the twitter http)
#
myfreeweb yes it is
#
myfreeweb twitter loads on the same protocol as your site
#
tantek no - my fault with explicit http://twitter
#
tantek fixing
#
myfreeweb there's no explicit http:// twitter. you explicitly allowed only https:// twitter in CSP, twitter's script is js.src="//platform.twitter.com/widgets.js"
j12t joined the channel
#
myfreeweb (do you really need that tweet count button?)
nedorito joined the channel
#
tantek hmm fixed all but one instance
#
tantek will fix remaining later
#
tantek myfreeweb: good question - I'll re-evaluate the design decision later
#
tantek will have to post about it after dinner
snarfed, mlncn, j12t, KevinMarks_, ttepasse and yoroy joined the channel
#
@myfreeweb @stevelosh #indiewebcamp on freenode ;-) not associated w/ specific products because that would cause https://indiewebcamp.com/monoculture (twitter.com/_/status/637336119173115905)
#
kylewm <- Steve Losh fanboy
#
Loqi kylewm: tantek left you a message 2 hours, 43 minutes ago: as https / security experts I would appreciate your review of https://indiewebcamp.com/Content-Security-Policy (just created today) and if you like, my CSP deployment in particular to make sure I'm not giving bad advice to people. Thanks! http://indiewebcamp.com/irc/2015-08-28/line/1440778021272
#
kylewm lololol
wolftune joined the channel
#
KartikPrabhu https://twitter.com/stevelosh/status/637334156222013440 :P
#
@stevelosh Also I will block you if you suggest Slack/HipChat horseshit. (twitter.com/_/status/637334156222013440)
shiflett, eschnou and glennjones joined the channel
#
kylewm tantek: kind of you to say, but I am so far from a security expert, security expert is a dot to me. your recommendations make sense though!
benwerd and lordabdul joined the channel
#
@kylewmahan Since getting into #indieweb stuff, I’ve seen way more sites go down because of an expired HTTPS cert than expired domain registration. (twitter.com/_/status/637351333436129280)
davbo joined the channel
#
benborges dumb question but, if i use the reply-to against a FB url, does it land on the comment section on FB like on twitter ?
#
kongaloosh.com created /Template:kongaloosh (+14) "Created page with "{{kongaloosh}}"" (view diff)
#
KartikPrabhu benborges: you mean through bridgy publish?
#
ben_thatmustbeme benborges: it used to
#
ben_thatmustbeme if bridgy publish that is
#
benborges KartikPrabhu, i'm using Known
benwerd joined the channel
#
KartikPrabhu benwerd: good timing see Known question right above
#
ben_thatmustbeme wow, speak Known and he shall appear
#
benwerd The answer is: not right now, but that would be neat
#
kylewm benborges: it's very difficult to do because of restrictions in the facebook API
#
kylewm it's nigh impossible to find the facebook ID of a post from its URL
#
benborges damned..
#
benborges thanks for the answers though :)
#
Loqi hehe
cleverdevil and KevinMarks joined the channel
#
KevinMarks on gillmor gang talking about facebook as silo
friedcell and cleverdevil- joined the channel
#
KevinMarks https://twitter.com/mathiasverraes/status/632260618599403520
#
@mathiasverraes There are only two hard problems in distributed systems: 2. Exactly-once delivery 1. Guaranteed order of messages 2. Exactly-once delivery (twitter.com/_/status/632260618599403520)
#
KartikPrabhu solution webmentions with de-dup and timestamps ;)
#
KevinMarks timestamps are hard
#
KevinMarks google fixing them with atomic clocks was interesting
#
KartikPrabhu KevinMarks: hmm why? using dt-published works no?
#
KevinMarks it does as long as both clocks agree well enough
#
KevinMarks for the rate at which we operate now, it's OK
#
KevinMarks I see timezone issues too - woodwind was saying 'a day ago' for Amy's posts that were an hour ago
#
aaronpk relativetimes--
#
KartikPrabhu does one really need millisecond precision for anything on the Web? specially communication?
#
Loqi relativetimes has -1 karma
#
KevinMarks relative times can be good, if you normalize them first
#
kylewm Woodwind also sometimes says "a day from now" for adactio's posts
#
aaronpk relative times are only useful for very recent posts
#
aaronpk because "a day ago" loses all context of the time of day they posted, which might be significant to the post
#
bear I like relative only if the bumps are hour, hours and then day, days
#
bear otherwise > 3 hrs and you think your a day late to the flow
#
kylewm lol at Gillmor: "Thanks to Robert Scoble, do you get paid by Facebook, by the way?"
#
kongaloosh.com edited /Template:kongaloosh (-14) "Blanked the page" (view diff)
#
KevinMarks you want to never say 1 (unit) ago as you lose precision
wolftune joined the channel
#
KartikPrabhu how much precision do we need though?
#
KevinMarks so say 32 hours or whatever before you go to 2 days
#
KartikPrabhu I mean really don't care if kylewm replies 200 milliseconds before aaronpk
#
kylewm KevinMark's Amy's posts don't show up as a day ago anymore, do they?
#
bear "minutes ago", "NN hours", "2+ days"
#
aaronpk I like showing relative times with two units, so "1 day 3 hours ago" or "4 hours 30 minutes ago"
#
KevinMarks thats good
#
bear I avoid the minutes in some of the code i've written by adding in "or so" to the text :)
#
aaronpk but beyond 2 days I would just put the actual date
#
KevinMarks yes, works now kyle
#
aaronpk because then you start losing more context, "4 days ago".. was that monday or tuesday?
#
KartikPrabhu aaronpk: yes actual dates are more useful
#
KevinMarks is their local time better communicated by 'in the morning' etc
#
KevinMarks ?
#
KartikPrabhu morning, evening are even more obscure
#
KartikPrabhu when does evening begin and afternoon end?
#
bear personally I find morning/evening to be confusing because I'm time shifted so cannot assume that the other people are (or are not)
#
ben_thatmustbeme oops FB... how not to do notificationshttps://ben.thatmustbe.me/static/fb-notification.png
#
KevinMarks sunset?
#
ben_thatmustbeme https://ben.thatmustbe.me/static/fb-notification.png
#
aaronpk bahaha
#
KartikPrabhu lol
yoroy joined the channel
#
KartikPrabhu for instance to me 1700 is afternoon but people here in the US seem to call it evening
#
ben_thatmustbeme borderline for me
#
aaronpk definitely evening for me, maybe slightly less so in the summer since it's light until 2130 sometimes
#
bear yea, that's borderline for me also - I have friends who eat their evening meal at 1800 and I'm just boggled by that
#
KartikPrabhu so "evening/morning" etc is too subjective and not useful to show relative times
#
aaronpk wait why is 1800 dinner unusual?
#
KartikPrabhu it is usual in the US I have seen
#
KartikPrabhu 2000 is dinner time for me :)
#
bear i'm so EU centric in my dining habits - I don't think about dinner until after 2000
#
aaronpk omg so late. I'm in bed by 2100 if I can help it.
#
KevinMarks in Spain dinner is 11pm
#
bear madrid was the most fun city I ever visited
#
bear because of that
#
bear I am not in bed until 0500
#
KevinMarks Miami is a bit like that too
#
KevinMarks you can go there from SF and not shift your timezone about when breakfast and dinner are
#
KartikPrabhu right so all these vary by cultural preferences and personal too
#
bear yea, my habits are definitely from working with west coast folks for the last 2 decades
#
KartikPrabhu also notice how using 24 hour in this discussion was pretty unambiguous ;)
#
KartikPrabhu ampm--
#
Loqi ampm has -1 karma
#
bear ampm--
#
Loqi ampm has -2 karma
#
kylewm aaronpk: if you are serious about going to bed at 2100, you've been doing a really bad job per http://aaronparecki.com/metrics
#
aaronpk shh
#
KartikPrabhu lol!
#
aaronpk I am at least *in* bed if not asleep
#
KartikPrabhu that's what you get for publishing metrics !
#
bear HAHA
#
aaronpk wow this week has been particularly bad
#
aaronpk I blame summer
#
aaronpk wow i just don't sleep a lot http://aaronparecki.com/metrics/sleep
#
bear as long as your waking up normally and don't require any heavy-handed alarm
#
bear then your refreshed during sleep
#
aaronpk my cat is my alarm
#
KartikPrabhu haha! I cat-sat once for a friend and I know that situation
#
bear oh my word - yes, they make great alarms
#
bear regular feeding at 6am ... *no* one will be asleep at 0550
friedcell joined the channel
#
kongaloosh.com created /Template:Kongaloosh (+58) "Redirected page to [[https://indiewebcamp.com/User:Kongaloosh.com]]" (view diff)
#
kongaloosh.com edited /User:Kongaloosh.com (+2) "/* Kongaloosh */" (view diff)
#
kongaloosh.com edited /Template:Kongaloosh (-58) "Blanked the page" (view diff)
#
Kongaloosh erm...
#
Kongaloosh hmmm
#
Kongaloosh I'm trying to get the templating to point to the right place...
#
aaronpk the template is for the little inline icons. just copy someone else's
#
aaronpk https://indiewebcamp.com/Template:aaronpk
#
bear I think everyone except 2 people have done that - I know I did
#
KartikPrabhu copypasta++
#
Loqi copypasta has 0 karma
#
Kongaloosh perfect
#
Kongaloosh thanks
#
KartikPrabhu ha!
#
Kongaloosh aaronpk++
#
bear copypasta++
#
Loqi aaronpk has 946 karma
#
Loqi copypasta has 1 karma
#
kongaloosh.com edited /Template:Kongaloosh (+137) (view diff)
#
kongaloosh.com edited /Template:Kongaloosh (+19) (view diff)
#
kongaloosh.com edited /Template:Kongaloosh (-156) "Blanked the page" (view diff)
#
kongaloosh.com edited /Template:kongaloosh (+156) (view diff)
#
Kongaloosh I exist.
#
aaronpk Kongaloosh++
#
Loqi Kongaloosh has 3 karma
#
KartikPrabhu therefore I am
#
Kongaloosh therefore I think? Is it commutative?
#
KartikPrabhu no. the actual statement goes think => am and not necessarily equivalent to its inverse
#
Kongaloosh :)
#
bear KartikPrabhu++
#
Loqi KartikPrabhu has 115 karma
#
bear Kongaloosh++
#
Loqi Kongaloosh has 4 karma
#
KartikPrabhu just thought "what if someone uses a nick 'micropub'" would they get all of micropub's karma?
#
KartikPrabhu !karma micropub
#
Loqi micropub has 2 karma
#
kongaloosh.com edited /User:Kongaloosh.com (+240) (view diff)
Kongaloosh joined the channel
#
Kongaloosh hmmm
#
Kongaloosh quassel keeps kicking me from channels
wolftune joined the channel
#
@RikMende nice!! now I can say #twitterisdown from my own spot on the #indieweb http://www.rmendes.net/2015/nice-now-i-can-say-twitterisdown-from-my-own-spot (twitter.com/_/status/637383585993875456)
scoates, sparverius, tantek and benwerd joined the channel
#
tantek good evening #indiewebcamp!
#
tantek let's see if I can track down this last http twitter js access...
#
tantek anyone else put a CSP header on their site?
#
tantek who is Steve Losh?
#
myfreeweb i'm probably going to put a CSP soon
#
KartikPrabhu what is csp?
#
Loqi Content-Security-Policy (abbreviated CSP) is an HTTP directive that a site can use to restrict what external resources are retrieved by a browser, to mitigate some XSS and injection attacks https://indiewebcamp.com/CSP
Unifex joined the channel
#
myfreeweb Steve Losh is the author of excellent blog posts http://stevelosh.com/blog/
#
tantek ah the Git Koans person - cool!
djwesto joined the channel
#
myfreeweb my favorite is "A Modern Space Cadet"
#
KartikPrabhu oh juds preist: http://stevelosh.com/blog/2012/10/why-i-two-space/
#
tantek oh dear he's still delegating his openid to myopenid http://pin13.net/mf2/?url=http://stevelosh.com/blog/2013/04/git-koans/
#
tantek might want to give him a heads-up about http://indiewebcamp.com/site-deaths#myOpenID
#
tantek lolol that two-spaces article is hilarious!
#
tantek I disagree with it but I love the way it is written, especially the, hey, two spaces works better in vim!
#
tantek almost reads like an elaborate troll
#
tantek stevelosh++
#
Loqi stevelosh has 1 karma
wolftune joined the channel
#
myfreeweb i'm too lazy to use two spaces but i like the vim thing, makes sense
#
myfreeweb http://stevelosh.com/blog/2010/01/moving-from-django-to-hyde/ omg I remember hyde... I tried all the static generators back then
#
KevinMarks I like the way his crossheads go into the margin once they scroll off the top
#
KevinMarks http://stevelosh.com/media/js/sjl.js
#
myfreeweb WTF moment: PubSubHubbub 0.4 doesn't define any publishing format. "The hub and the publisher can agree on any mechanism, as long as the hub is eventually able send the updated payload to the subscribers" o_0
#
aaronpk heh
#
aaronpk that's why I wrote this http://indiewebcamp.com/how-to-push
#
myfreeweb Google's hub says hub.url can be repeated, Superfeedr says it's hub.url[] if you repeat it
#
aaronpk because PuSH doesn't specify it
#
aaronpk so the implementers can do whatever
#
myfreeweb yeah that's what I said first
#
aaronpk yup
#
aaronpk personally I prefer the [] version since most server-side environments don't accept multiple values of a parameter without []
#
myfreeweb looks like sending multiple pings is the best way to support the "just specify a hub URL in settings" experience... oh well
#
kylewm myfreeweb: Google's hub doesn't really work with 0.4
#
kylewm and superfeedr will accept either format of hub.url (either multivalued as an array or comma-separated)
tvn_ joined the channel
#
KevinMarks aaronpk: challenge accepted http://www.headsuptutoring.com/grid?pagetitle=a-e+sound+with+eight+and+straight&top=a&top=&top=e&top=ai&top=ay&top=&top=&letr=m&letr=a&letr=d&letr=e&letr=&letr=&letr=&letr=t&letr=r&letr=ai&letr=n&letr=s&letr=t&letr=ay&letr=p&letr=l&letr=ay&letr=&letr=w&letr=ay&letr=&letr=t&letr=a&letr=p&letr=e&letr=r&letr=ai&letr=d&letr=b&letr=r&letr=ai&letr=n&letr=ai&letr=m&letr=&letr=l&letr=a&letr=t&letr=e&letr=
#
kylewm myfreeweb: I would definitely recommend sending one ping if you have several feeds that update at once
#
aaronpk lol
#
KevinMarks the template fro that page is lots of table rows like <td ><input name="letr" value="{{letr.pop(0)}}"></td>
wolftune joined the channel
#
tantek tracked it down to looks like *one* place in https://platform.twitter.com/widgets.js it is doing a protocol relative access of platform.twitter.com/widgets/tweet_button.(etc)
#
tantek ok read Twitter's docs and there doesn't seem to be any way to force widgets.js to ALWAYS iframe src platform.twitter.com/widgets/tweet_button.(etc) over https.
#
tantek https://dev.twitter.com/web/tweet-button and https://dev.twitter.com/web/javascript/loading
#
tantek sigh, going to have to add an insecure iframe just to Twitter
#
tantek.com edited /htaccess (+45) "see also" (view diff)
Lancey joined the channel
#
tantek in case benward is watching for mentions --- ^^^ any way to force widgets.js to always use an https iframe for platform.twitter.com/widgets/tweet_button... ?
#
tantek right now it seems like it defaults to page protocol relative - which means http for me now, but I'd prefer to use widgets.js from https and have it also load/reference everything over https
snarfed joined the channel
#
tantek evening snarfed
#
tantek.com edited /LiteSpeed (+15) "/* See Also */" (view diff)
#
snarfed hey tantek!
#
Loqi snarfed: tantek left you a message 7 hours, 37 minutes ago: as https / security experts I would appreciate your review of https://indiewebcamp.com/Content-Security-Policy (just created today) and if you like, my CSP deployment in particular to make sure I'm not giving bad advice to people. Thanks! http://indiewebcamp.com/irc/2015-08-28/line/1440778021272
#
snarfed i don't really know CSP at all, so i'll have to defer that one, sorry
#
snarfed more helpfully...KevinMarks and i settled on a new OPD heuristic yesterday that we think will satisfy https://github.com/snarfed/bridgy/issues/51. i'll write it up and wikify it and ping for feedback
#
tantek what is OPD?
#
Loqi It looks like we don't have a page for "OPD" yet. Would you like to create it? http://indiewebcamp.com/s/102B
#
tantek ah let me guess
#
tantek OPD is /original-post-discovery
#
loqi.me created /OPD (+36) "prompted by tantek https://indiewebcamp.com/irc/2015-08-28/line/1440805631964 and dfn added by tantek" (view diff)
#
Loqi ok
#
snarfed beat me to it
#
snarfed in particular i'm excited about https://github.com/snarfed/bridgy/issues/51#issuecomment-135816838, i think it'll be a pretty compelling new feature
#
tantek snarfed: you serve https-only right? as in redirect all http to https?
#
tantek then I'm not sure you need to bother with CSP
#
tantek though I suppose it adds an extra layer of security even if something accidentally enables an xss on your site etc.
scoates and wolftune joined the channel
#
snarfed tantek: yes i do
#
KevinMarks snarfed did you capture our chat about this from the other day?
#
snarfed KevinMarks: privately yes. haven't written up yet. on my todo list
#
snarfed feel free to if you want!
#
bear tantek - it can be hard for someone not familiar with your code to evaluate your CSP. your unsafe-inline usage could be mitigated by using an <script nonce='...' wrapper