#indiewebcamp 2016-04-10

2016-04-10 UTC
#
aaronpk this one https://github.com/voxpelli/node-webmention-testpinger/blob/master/templates/checkmention-hcardxss.html#L17
KartikPrabhu joined the channel
#
aaronpk hm should this be done by the mf2 parser?
#
aaronpk for any u-* values, ensure they are either a relative or absolute URL and not something like "javasript:alert()"
#
aaronpk tho I suppose mailto: links are fine
#
KartikPrabhu mf-parsers should not sanitise HTML
#
KartikPrabhu that is some other task
#
aaronpk that's not really sanitizing HTML tho
#
aaronpk if "javascript:alert('hi')" is considered a valid URL then it's doing what it's supposed to
#
KartikPrabhu mf2py does manke URLs absolute, but that is in the parsing spec, it does not validate them in any way
#
KartikPrabhu yes, validation not sanitisation
#
aaronpk i'm not talking about doing anything with e-* classes, only u-* since the parser knows the value is supposed to be a URL in that case
#
KartikPrabhu aaronpk: people might have accidently put a "u-*" when tey meant "p-*". might be better to just expose that to keep thigns visible. COmsuming code can always validate
mlncn joined the channel
#
sknebel (thinking of protocols: is there anything "established" about webmention endpoints being HTTP vs HTTPS?)
#
sknebel (+ it would be interesting if any webmention endpoints accidentially or intentionally work with ftp:// or other source urls as well, there are some nasty issues hidden in that kind of thing)
#
aaronpk well the webmention endpoint itself has to be http/https because the spec requires you make an HTTP request to send the webmention
#
aaronpk but i think it doesn't say anything about the source URL needing to be HTTP
#
GWG It doesn't from what I can see
#
aaronpk KartikPrabhu: no i think this *has* to be done at parse time
#
aaronpk because when i'm consuming a property called "url" I have no idea if it came from a u-url class or p-url class
#
aaronpk oh wait crap that doesn't work either.
#
KartikPrabhu so if you are going to consume it as a URL (e.g. display it as a link to a comment) then validate it, else don't
#
KartikPrabhu depending on how you want to consume it
#
aaronpk yeah, i do have to check it at consume time
#
aaronpk otherwise someone could put javascript in a p-url class
#
KartikPrabhu yup
#
KartikPrabhu i don't think there is a fool-proof alternative to validation/sanitisation at comsume time
#
aaronpk this is getting hairy
#
aaronpk i'm gonna add this to XRay tho since everything I do goes through that so at least it'll only have to be done once
friedcell joined the channel
#
KartikPrabhu yeah thst i not unreasonable
snarfed and tantek joined the channel
#
GWG Is anyone around who I could talk to about Vouch? Namely someone who has feelings about it.
#
GWG Maybe I should watch the video from Cambridge
shiflett and yakker joined the channel
#
kylewm GWG, what are your feelings about vouch?
#
GWG I'm worried about implementing a system where I'm rejecting the majority of the internet that doesn't use it
#
aaronpk you don't have to reject unvouched webmentions
#
aaronpk i need to re-implement in my new site, but what I was doing before was showing "vouched for by ___" if the comment was vouched
#
GWG I was trying to iterate on the implementation.
#
GWG And I know there is some interest in Vouch.
[kevinmarks] joined the channel
#
[kevinmarks] To make vouch work, you need a white list, right?
#
GWG Not exactly
#
KartikPrabhu one can always send unvouched webmentions to other spam processors like Akismet/manual approval etc...
#
kylewm Why not exactly? I thought you needed a list of known good domains to verify a vouch
#
GWG I thought vouch generated them. A whitelist suggests someone made one
shiflett joined the channel
#
GWG Although admittedly you have to start with a list
#
KartikPrabhu you need one to get started and then you can add to it
#
KartikPrabhu you can generate one from already existing webmention comments though
#
GWG Yes.
#
GWG But if I try to build one that way, I'd build it into the existing moderation system by passing the vouch parameter further down.
#
GWG But it seems, from comments, that accepting webmentions with or without vouch is not uncommon.
snarfed joined the channel
#
kylewm.com edited /2016 (+282) "/* Participating */ Assistance for underrepresented groups" (view diff)
#
kylewm is that OK? ^
#
kylewm (I think it's probably pretty important that we make use of that money :)
mlncn and gRegorLove joined the channel
#
gRegorLove I have feelings about Vouch, GWG
#
gRegorLove In the ProcessWire Webmention plugin, it always attempts to send a vouch parameter with a webmention, if possible. There is a checkbox, off by default, for "require webmention with vouch" for incoming wm
#
gRegorLove (I have that checkbox off on my site currently)
#
gRegorLove There's a textarea for "Approved vouch domains", one domain per line. I populated it manually at first, but just recently added an option to enter a URL that the plugin will periodically parse for h-cards and add the URLs it finds to the approved vouch domains.
#
gRegorLove So now I just need to add people I follow / will accept as vouches to http://gregorlove.com/following/ and it will be parsed within ~24 hours to the list of approved vouch domains
#
GWG My plan right now is to just make it so the parameter is passed and work on what it does later.
#
gRegorLove what do you mean passed?
#
gRegorLove Oh, that 'vouch' is accepted on incoming wm?
#
GWG Accepted would be accurate.
tantek joined the channel
#
tantek good evening #indiewebcamp
#
tantek catches up on logs and sees /Vouch discussion
#
gRegorLove !tell aaronpk For this test https://github.com/aaronpk/XRay/blob/master/tests/AuthorTest.php#L86 what's the reasoning for the assertion being the http u-url instead of the xmpp one?
#
Loqi Ok, I'll tell them that when I see them next
#
tantek kylewm, GWGW, there is no requirement to "start with a list" - that's just one possible (common?) way to start with a simple implementation. The spec does not require it.
#
tantek s/GWGW/GWG
#
Loqi tantek meant to say: kylewm, GWG, there is no requirement to "start with a list" - that's just one possible (common?) way to start with a simple implementation. The spec does not require it.
#
gRegorLove !tell aaronpk it looks like that test is ambiguous with authorship step 7.3. Step 7.4 would return the http u-url, though.
#
Loqi Ok, I'll tell them that when I see them next
friedcell joined the channel
#
aaronpk good evening
#
Loqi aaronpk: gRegorLove left you a message 1 hour, 13 minutes ago: For this test https://github.com/aaronpk/XRay/blob/master/tests/AuthorTest.php#L86 what's the reasoning for the assertion being the http u-url instead of the xmpp one? http://indiewebcamp.com/irc/2016-04-09/line/1460270304256
#
Loqi aaronpk: gRegorLove left you a message 1 hour, 8 minutes ago: it looks like that test is ambiguous with authorship step 7.3. Step 7.4 would return the http u-url, though. http://indiewebcamp.com/irc/2016-04-09/line/1460270597855
#
aaronpk !tell gRegorLove interesting point. however the authorship algorithm results in an author h-card, not an author URL, so the xmpp URL in that test case could still be used to match that h-card.
#
Loqi Ok, I'll tell them that when I see them next
Pierre-O joined the channel
#
aaronpk !tell gRegorLove XRay in particular looks for http/https URLs and will ignore anything else, so that's why the test is looking for that URL and not the xmpp one
#
Loqi Ok, I'll tell them that when I see them next
Breadbasket_, catsup, nitot, friedcell, KevinMarks and Nissyen1 joined the channel
#
bitdroid.de edited /2016/Nuremberg/Guest_List (+465) "/* Participants */" (view diff)
ben_thatmustbeme, benborges, Lancey, emmak_, tantek, snarfed and snarfed1 joined the channel
#
GWG Rewriting this code is going to be harder than I thought. I wish someone had commented it more.
wolftune joined the channel
#
tantek ... said every developer ever :)
#
GWG Well, I'm trying to turn the code upside down so it works differently.
#
voxpelli Refactoring is tough work, especially when one has no tests, hard to keep a solid ground to build on
#
voxpelli is kind of doing refactoring at the moment as well
tantek joined the channel
#
GWG I wish I had tests
#
GWG I just don't want to write them.
snarfed joined the channel
#
GWG And amusingly, snarfed enters right after I say that.
#
snarfed reads logs
#
snarfed GWG you need religion! feel the spirit!
#
GWG The spirit of unit testing?
#
GWG I have yet to be possessed by it
#
GWG I know that I will have to give in someday
j12t, jedahan and [kevinmarks] joined the channel
#
[kevinmarks] Writing tests for code you're about to change is how you prove that you know how the code works
#
GWG I just wish pfefferle was around. I have questions
#
GWG About why he did things.
friedcell, j12t, snarfed, Pierre-O, singpolyma, brandonrozek, jedahan, Breadbasket_ and Lancey joined the channel
#
GWG Slow afternoon
j12t, snarfed, Breadbasket_, KartikPrabhu and emmak joined the channel
#
aaronpk anyone want to help me test a tool for testing webmentions?
#
bear sure
#
GWG aaronpk: What do I have to do?
#
aaronpk i haven't finished the home page yet or written really anything that tells you how this works, but basically the tests here are posts that accept comments, and you can use them to help debug your webmention sending
#
aaronpk http://webmention.rocks/
#
aaronpk so you can try to get a comment to appear here for example http://webmention.rocks/test/1
#
Loqi [Webmention Rocks!] Test #1
#
aaronpk i have the main functionality of handling webmentions and parsing the source URL for comment data working for the most part, so i'm adding more helpful debugging tools to it now
#
bear so you want me to add a mention of that test/1 url to my sight and have it send a webmention now?
#
aaronpk yeah, feel free to try to send webmentions to it, and let me know if you see anything weird.
#
aaronpk you can file issues against it here https://github.com/aaronpk/webmention.rocks/issues
#
bear k, let me get my terminal windows up
#
aaronpk i'm planning on using this during IWC to help people get spun up on sending webmentions
#
bear coolness
gmacon, gRegorLove and Nissyen joined the channel
#
bear I just realized that the julian days for april are all 90+ date april 1st == 91...
#
bear (I like it when simple patterns like that emerge)
#
aaronpk depending on whether it's a leap year
#
bear oh poo - 2016 is a leap year, i was looking at the wrong table
#
bear sorry it took me so long - just processed a post about test/1
#
bear it found yours, and got a 201 back immediately
#
bear but the webmention.rocks one it is still chewing on
#
GWG I've been thinking about the 201 and the 202.
#
aaronpk webmention.rocks processes the WM synchronously so that it can return debugging info in the response
#
GWG aaronpk: Then that would be a 200, not a 201 or a 202
#
bear I may have to local hack some debug prints as it is still processing it
#
aaronpk GWG: it depends on whether it returns a status URL
#
aaronpk bear: hm i'm surprised it's taking that long
#
GWG What does that look like again? Example wise?
#
bear I need to add some debug logs to see if it just stuck on myside or what - one sec
#
aaronpk GWG: http://webmention.net/draft/#receiving-webmentions
#
Loqi [Aaron Parecki] Webmention
#
aaronpk i didn't put an example response showing the 200 response, but it's mentioned at the bottom of that section
#
aaronpk and yes webmention.rocks returns HTTP 200
#
GWG I meant an example of a status page
KartikPrabhu joined the channel
#
aaronpk ah
#
aaronpk webmention.io returns status pages now
#
aaronpk I want to write up status URLs as an extension but I haven't yet
#
aaronpk there are some ideas here http://indiewebcamp.com/Webmention-brainstorming#Asynchronous_status_polling
#
bear ah - my webmention library is not finding the endpoint
#
bear so this is already becoming a useful tool :)
#
aaronpk :D
#
GWG What about Forwarded: over X-Forwarded-For?
#
aaronpk tests 1-6 advertise the endpoint in different ways so you can test all of them
#
aaronpk GWG: ?
#
GWG aaronpk, was reading the rest of the page.
#
aaronpk oh. no idea. there's a lot on that page
#
aaronpk wow, now i'm getting probed on webmention.rocks
#
aaronpk looking for URLs like wp-login.php and admin.php
#
bear the scanners for new sites are amazing fast
tantek joined the channel
#
bear ah - it's failing because I used https://webmention.rocks/test/1
#
aaronpk oh thx
#
aaronpk i should set up ssl
#
Loqi yea
#
bear i'm wondering how I can detect that cleanly
#
aaronpk wow that was easy
#
aaronpk now it's https
#
bear :)
#
aaronpk that might be a new record for me. 3 minutes.
#
aaronpk letsencrypt++
#
bear once letsencrypt is up with the discovery endpoint - it's very fast
#
Loqi letsencrypt has 6 karma
#
bear letsencrypt++
#
Loqi letsencrypt has 7 karma
#
aaronpk i have a catch-all for letsencrypt that makes this super easy
#
bear yea, I think I have one also - nginx config item that redirects it to a dir
#
aaronpk yeah pretty much
#
bear ok, now the https call returns 200 instead of 404 - but i'm still not finding the link
#
bear ah - the header is "Link" and silly bear assumed that they are "link"
#
bear this is where I rage about languages that are case-insensitive for string compares
#
aaronpk HTTP headers are case insensitive
#
bear yes, I get that - but realize that the browsers are showing "link" in the dev view
#
aaronpk ah
#
aaronpk sneaky
#
bear and that most "web" languages are case-insensitive in compares (php, js, etc)
#
bear so you all never feel that pain
#
aaronpk really? php is pretty explicit about whether you're doing case sensitive or insensitive comparison
#
bear so the python requests lib happily converts the headers into a dictionary with the key being "Link"
#
aaronpk i always have to double check how the HTTP header is going to show up in whatever framework i'm using tho
#
bear I wouldn't know - I remember reading some discussion about this from earlier on stackoverflow and the person implied that php was very happy to compare link to Link in headers
#
aaronpk the $_SERVER variable converts them all to uppercase and prefixes with "HTTP_", other frameworks have methods to retrieve HTTP headers that handles the case insensitive matching internally
#
aaronpk but "Link" != "link" in php
#
bear yea, i'm mostly being verbose for anyone reading this to learn - what my webmention library should have done was checked
#
bear yea, that is why I am kinda surprised that python requests gave me "Link" back when I asked for the header keys
#
aaronpk yeah i've seen some libraries that try to be "smart" about it, but then you're never sure if it's going to return "Content-Type" or "Content-type"
#
bear time for me to create a simple map/helper function