#dev 2017-04-27

2017-04-27 UTC
[cleverdevil] joined the channel
#
gregorlove.com created /todoist (+95) "prompted by tantek" (view diff)
#
gregorlove.com created /todo.txt (+283) "stub" (view diff)
leg joined the channel
#
gRegorLove Temporarily fixed my webmention URL extraction, using WordPress' regex for it, actually. Mine was working pretty well, but dropping trailing slashes. Considering doing DOM parsing to grab the <a> elements instead, though.
#
gRegorLove Do any wm senders do that? Known?
#
[kevinmarks] dom parsing is usually a good idea
#
[kevinmarks] hm https://github.com/html5lib/html5lib-ruby
#
Loqi [html5lib] html5lib-ruby: Ruby port of html5lib, currently unmaintained.
#
[kevinmarks] that seems a bit untouched, though I recognise a lot fo names
#
aaronpk gRegorLove: Telegraph does DOM parsing to find links to send to
#
gRegorLove Looks like Known is regex: https://github.com/idno/Known/blob/5593071b3a792709f66cec0e425d70bd666c07c6/external/mention-client-php/src/IndieWeb/MentionClient.php#L242
#
gRegorLove Cool, will take a look.
#
aaronpk oh wait
#
aaronpk mentionclient is my thing
#
gRegorLove Oh, indieweb/mention-client?
#
aaronpk whoops! I misremembered!
#
aaronpk Telegraph uses MentionClient
#
aaronpk https://github.com/aaronpk/Telegraph/blob/master/controllers/Controller.php#L272
#
aaronpk waiiiit a minute
#
aaronpk is confusing himself
#
gRegorLove lol
#
aaronpk k yeah. telegraph and Known use mention-client-php, mention-client-php does regex
#
aaronpk although telegraph actually first does mf2 parsing on the document, then just regexes for links within any property
#
aaronpk i felt like i was okay with not sending webmentions to URLs that aren't h-entry properties
#
KevinMarks That's a good filter against sidebar links too
#
aaronpk yeah that was the idea
#
aaronpk also i don't feel too bad about regexing for links within plaintext content
#
aaronpk all the other links will be found by the mf2 parser
[eddie] joined the channel
#
[kevinmarks] Yes, that is reasonable.
#
[kevinmarks] Well, links with rel on
tantek joined the channel
#
www.boffosocko.com edited /micro.blog (+2613) "fleshed out page with more basics after the service launched this week" (view diff)
[chrisaldrich] joined the channel
#
www.boffosocko.com edited /silo-quits (+389) "Mark Damon Hughes" (view diff)
[tamaracks], [eddie], tantek and [jeremycherfas] joined the channel
#
loqi.me edited /Lambda (+122) "/* See Also */ new section" (view diff)
#
www.svenknebel.de edited /Lambda (+96) "mention free tier" (view diff)
loicm, [johnholdun], [kevinmarks], [colinwalker], [jeremycherfas], [pfefferle], tantek, KevinMarks, KevinMarks_, miklb, jonnybarnes, barpthewire, leg and KartikPrabhu joined the channel
#
voxpelli I'm looking into Web Push a bit, but one part of the spec I'm a bit unsure about: How do an application server know that the submitted Push URI is an actual Push URI and not a target that someone wants you to trick into pinging?
#
voxpelli Has anyone here done any work with push notifications on the web? Blindly trusting the client feels so wrong, would somehow want to validate that the supplied Push URI is indeed the URI of a Push Server
#
voxpelli A quick read doesn't bring up anything about it in the relevant sections of the spec: https://tools.ietf.org/html/rfc8030
#
sknebel voxpelli: I don't think there is anything. you get the url from the user agent and use it, I don't see a verification mechanism there either
#
KartikPrabhu what is PuSH?
#
Loqi WebSub (previously known as PubSubHubbub or PuSH, and briefly PubSub) is a notification-based protocol for web publishing and subscribing to streams and legacy feed files in real time https://indieweb.org/PuSH
#
KartikPrabhu hmm that isn't it ^ right?
#
KartikPrabhu this is different PuSH for browser notifications
#
sknebel it's push messaging to service workers
#
KartikPrabhu right
#
sknebel voxpelli: FWIW, I'm not sure how it would be solved without some complicated out-of-band mechanism – otherwise you'd be doing an HTTP request to verify the endpoint, so you avoid sending it a misguided HTTP request later...
#
voxpelli sknebel: I was thinking something additional beyond the 201 HTTP status in the push notification response, that would tell that it's actually a push that was created
#
sknebel hm... you could request a receipt, then a special rel gets added (but potentially extra work for the push service created)
#
voxpelli on the other hand: somewhat the same issue with WebMention, one can't know if the 201 is to be considered a WebMention success or a success of some other kind
#
voxpelli So one could eg. probably submit a Webmention ping as a WebPush Push URI to a WebPush application server and have that application server believe that it's sending successful push notifications to that URI
#
voxpelli As they both respond with 201 successes to POST requests
#
sknebel but only to ones with valid payloads
KevinMarks joined the channel
#
sknebel you'd have to find an app server that sends source=URL&target=matchingURL, which shouldn't happen because encryption
#
voxpelli right, webmention requires target/source in post payload, though it was query params for a while
#
sknebel (and even without encryption would be kind of weird. and still poses the question why you are doing that complicated dance instead of just DDoSing the server you don't like...)
#
voxpelli still feels kind of bad to rely on the payloads between different specs to be incompatible to ensure that one misuse it
singpolyma joined the channel
#
voxpelli if one were to find an endpoint on the webpoint that returns a 201 for any kind of payload sent to it, then one could easily register it as a Push URI and no one would notice that it would be wrong
KevinMarks, [chrisaldrich] and [kevinmarks] joined the channel
#
[kevinmarks] This sounds like the issues we got at w3c
#
[kevinmarks] "what if there is a service behind the firewall that takes a target parameter and launches missiles at it?"
KevinMarks joined the channel
#
voxpelli [kevinmarks]: yeah, it absolutely does :/ two differences are: Web Push URI:s aren't scraped from a URL but given created in a browser client + it's called is triggered separately from the lookup of the URI
#
voxpelli + Webmentions actually deal with the DoS scenario of the target parameter, while Web Push only deals with the DoS scenario of a user-agent, not of the Push URI: https://tools.ietf.org/html/rfc8030
#
voxpelli Meant: https://tools.ietf.org/html/rfc8030#section-8.4
[jeremycherfas] joined the channel
#
www.svenknebel.de edited /next-hwc (+0) "update to next weeks iteration" (view diff)
#
www.svenknebel.de edited /events/2017-05-03-homebrew-website-club (+112) "/* West Europe */ Berlin cancelled for this week" (view diff)
#
aaronparecki.com edited /what (+1) (view diff)
miklb, KevinMarks_, gRegorLove and [kevinmarks] joined the channel
#
kevinmarks.com edited /press-kit (+96) "/* Contacts */" (view diff)
KartikPrabhu, KevinMarks and leg joined the channel
#
[kevinmarks] o_O amazon was routing to some other heroku app?
#
[kevinmarks] I'm pretty sure I chaged that along time ago
[colinwalker], [chrisaldrich], leg, [eddie] and [cleverdevil] joined the channel
#
[kevinmarks] gaaah
#
[kevinmarks] it's very hard to live tweet when routing is this broken
tantek, KevinMarks and leg joined the channel
#
jonnybarnes got TLSv1.3 working on my website :)
#
jonnybarnes well, draft-18 which is what’s implemetned in the browsers
[manton], miklb, tantek, [chrisaldrich], [ianmjones], KevinMarks, [mko] and sknebel_ joined the channel
#
aaronparecki.com edited /Micropub/Clients (+218) "add a micro.blog client and sample code" (view diff)
kapowaz, KevinMarks, KevinMarks_ and tantek joined the channel