tantek_, [chrisaldrich], brobertson, wagle, http_GK1wmSU and mblaney joined the channel
#mblaney!tell voxpelli I've been thinking about indie-config since my firefox issues with it last week. What do you think about the privacy implications of any site being able to load your config once you have the web+action protocol registered? (Imagining a world where everyone has done that...) the iframe loading can be done without the user having any visual indication that their details have been given to the website they have visited...
#Loqi[Jeremy Cherfas] Making link posts in WP work for me
#voxpellijeremycherfas: yeah, my webmention endpoint does not fetch and resolve external h-cards yet, could you add an issue to the GitHub repo?
#Loqivoxpelli: mblaney left you a message 4 hours, 41 minutes ago: I've been thinking about indie-config since my firefox issues with it last week. What do you think about the privacy implications of any site being able to load your config once you have the web+action protocol registered? (Imagining a world where everyone has done that...) the iframe loading can be done without the user having any visual indication that their details have been given to the website they have visited...
#voxpelli!tell mblaney An indie-config iframe can have a whitelist of pages it wants to send the config to and have some kind of mechanism for prompting the user to add a site to that whitelist, so the privacy implication should be possible to handle
#dgoldmy media server and my site server are different locations
#sebselThe way I do it, is that I determine the Atlas URL I need (so: the coordinates and the settings as params to the URL) and then I just do a curl, and save the returned body to a file.
#sebselBut, my media server and my site server are on one place.
#Zegnatdgold: you wouldn’t necessarily need to go through a media server if your micropub endpoint can handle grabbing the file.
#ZegnatI.e. the micropub endpoint knows it has to go and save a checkin type post, at that point it can also fetch the image and save that alongside it. No reason to have the MP client upload the image separately.
#dgoldyeah, that's what I've switched to doing. sebsel's comment was welcome
#sebselAnd it's a neat function you can reuse. I fetch external author images for incoming webmentions, and u-photo from posts I like, so I have a personal copy of it (not shown on my website).
#sebselOh, same script runs on things I repost / retweet, but then I do show the u-photo.
brobertson joined the channel
#sknebelaaronpk: btw, if you want someone to read through material for indieauth.com or your oauth draft, just send me the link :)
KevinMarks joined the channel
#mblaneyvoxpelli yes implementing a whitelist for indie-config seems to be the only way to deal with the privacy issue. Unfortunately that pretty much defeats the purpose of it, which is to provide an easy way to tell a site you want to interact with who you are.
#Loqimblaney: voxpelli left you a message 3 hours, 26 minutes ago: An indie-config iframe can have a whitelist of pages it wants to send the config to and have some kind of mechanism for prompting the user to add a site to that whitelist, so the privacy implication should be possible to handle
#voxpellimblaney: all privacy sensitive API:s on the web has such whitelists / prompts though? Geolocation, camera, microphone etc
#voxpelliIf such config exposure was standardized in the browser then exposing such a prompt would probably be mandatory
#mblaneyYes I guess I just came to the realization that there's no way to automatically tell another site who you are. If there was such a mechanism it would be a privacy violation, hence the need for a prompt from the user.
KevinMarks_ joined the channel
#mblaneyI've got some ideas for how to fix it without needing to store a whitelist... will experiment a bit and report back what I discover ;-)
#voxpellimblaney: one way to solve it is to actually never give the site the info but to only have the site tell the browser what it wants to be done, a browser native indie-action button could do that
#mblaneyyes I was thinking about that too, but it's not very webby if you don't put the links in the page. And as soon as you do that, the site has access to your details.
#mblaneythat sort of thinking led me to looking into bookmarklets, because then the user controls the action.
#mblaneybut you could write a bookmarklet to sign in a user or pull their own config, all prompted by the user undertaking the action, so that's what I'm going to look into doing next.