#[eddie]!tell aaronpk: IndieAuth.net section 5 is Authentication, but 5.2, 5.3 and 5.4 all say Authorization. Iβm thinking those should say Authentication? It tripped me up because I focused more on the subtitles than the titles so I found myself in Authentication when I was looking for Authorization
#dgoldcurrently mashing my head against php, again
#dgoldon my test-server, my script is snding likes and reposts properly to twitter as likes and reposts
#dgoldon my homesite, the same script sends them as a blank post
#GWGdgold: I always try to build in a debug mode that can be enabled to send extra info to the logs.
#[eddie]IndieAuth Authentication/Authorization: When a client is making the initial request to the endpoint, if required params arenβt found such as client_id, redirect_uri, etc. What should the endpoint return? Does it follow standard OAuth 2.0 rules such as the error response section of this page?: https://www.oauth.com/oauth2-servers/authorization/the-authorization-response/
#aaronpkyes, although there is an important distinction that I should probably clarify on that page
#aaronpkyou need to abort and *not* redirect in certain error cases like missing/invalid redirect URL or client ID
#aaronpkyou should only redirect with an error if the client ID and redirect URL are okay
#GWGaaronpk: I've been trying to internalize the spec
#[eddie]Ahh gotcha. :thumbsup: So any error besides redirect_uri/client_id errors should follow that redirect with the error, but if it's redirect_uri/client_id you should display the error within your own UI
#GWGI'm not currently checking for client or redirect errors. It will come
#[eddie]So basically as I read through the IndieAuth spec, if it doesn't address something specifically, I should check OAuth 2.0 and go by that in most cases that the IndieAuth spec doesn't define
#Loqi[Luke Wagner] Mitigations landing for new class of timing attack
[cleverdevil] joined the channel
#[cleverdevil]I've been thinking about this a lot, with regard to the web. It seems to me that JavaScript should be delivered by browsers using a trust model similar to that of apps on iOS or Android.
#[kevinmarks]turning off SharedArrayBuffer is pretty severe for WebASM
#[cleverdevil]When you visit a website that needs JavaScript, the browser should inform the user that the website is requesting permission to run JavaScript, and the user should have to grant it.
#tantekcleverdevil, do you run with NOSCRIPT? because that's essentially what that does
#LoqiAndroid is an open source operating system for mobile devices (AOSP) combined with a set of proprietary cloud services provided by Google https://indieweb.org/Android
#LoqiIt looks like we don't have a page for "mobile posting" yet. Would you like to create it? (Or just say "mobile posting is ____", a sentence describing the term)
#GWGYou add in the users from Micro.blog who might use it, plus people with their own sites who could post to them using an app, there would definitely be a nice reward if we can get someone to try writing a reasonably nice one.
#GWGI really don't think I can take on an Android app as a project, but I'd really like to try to talk someone who does that stuff already into writing one.
#tantekGWG, Kevinmarks, please add to /Android which now has more structure
#LoqiAndroid is an open source operating system for mobile devices (AOSP) combined with a set of proprietary cloud services provided by Google, which some use to post to their IndieWeb sites https://indieweb.org/Android
gRegorLove joined the channel
#GWGUmm...why does Ben Roberts post to his site snarfed.org?
#tantek.comedited /100DaysOfIndieWeb (+492) "100 Days of Positive Doing Posting Days, move last year's to previously (until someone wants to re-up for this year!)" (view diff)
#ZegnatGWG, we are hopefully close to more share interaction on Android. The Twitter PWA that they announced after working together with the Google folks seems to already include some share setting in their manifest file IIRC.
#gRegorLoveInteresting. I guess I'd misread the DMCA safe harbor stuff before. It doesn't appear there is any particular protection it provides if you're a content creator who posts copyrighted work.
#gRegorLoveSo someone could just go to your host and get you taken down?
#gRegorLoveAnd it's at the host's discretion whether they contact you or not first
[cleverdevil], cweiske, bengo, [davidmead], [manton] and tantek joined the channel
#dgoldDMCA safe harbor is just for the hosts, not for the users
#Loqi[tantek] thus if you're displaying the HTML of a photo post from somewhere else, you should be able to say hey, drop any img tags in the HTML because I already know the ones I care about
#grantcodesSimilar issue with a lot of name / content duplication. I see decent number of posts were perhaps the name is just a truncated version of the post or plaintext version or I think I've even seen Twitter friendly version appear vs indieweb versions (@handle changed to @website.com). I imagine it'll be hard to dedupe everything but the majority should be quite possible
[kevinmarks] joined the channel
#aaronpkI have quite a bit of code handling that already, so feel free to file issues on XRay with examples you're finding
#grantcodesI think it makes sense to insert newly followed content in based on the published date, when I had a channel that had a bit of content and added a new subscription it's annoying that the entire first page may become out of date content from that feed
#grantcodesCommits / Pull requests accepted π Probably the easiest major thing to help with is the card component that displays the post. Needs to handle all those other properties that I've not worked on yet
#tantekat some point I wonder if new /reader UIs should start warning users when they choose a lower fidelity feed like RSS when a higher fidelity one is available
#aaronpkone problem there is knowing when two feeds are roughly equivalent
#[cleverdevil]It should likely just pick on its own, unless the user clicks some sort of "advanced" view.
#aaronpkfor example known links to a bunch of rel=alternates
#[cleverdevil]In Together, when you go through that interaction, it shows you a preview of a feed before you follow it.
#aaronpkwerd.io shows only front-page posts, but links to werd.io/content/all which has a bunch more content
#grantcodesWhat has become quite clear is those content filters that I set up in together are not that useful with microsub as is. Like in your video you clicked to load more reposts but that's not possible with microsub. But think it's more a ui thing that microsub spec thing
#tantekthere's a difference between format / content-type, and the "purpose" of the feed (home page summaries, all content, etc.)
#aaronpktantek: I know, my point is that they often cross-link despite being quite different feeds
#aaronpkgrantcodes: what I'm finding I want is to set a default view per channel