#dev 2018-07-14

2018-07-14 UTC
[chrisaldrich] joined the channel
#
gRegorLove I wrote up my conundrum about indiebookclub Micropub. Feedback/suggestions welcome: https://gregorlove.com/2018/07/micropub-properties-for-indiebookclub/
#
aaronpk i've done that settings toggle thing a bunch
#
aaronpk both in ownyourgram and ownyoursearm
#
aaronpk swarm
#
aaronpk and teacup I think too
#
aaronpk I add a flag to the user account, setting all existing users to the old behavior, and all new users to the new behavior
#
aaronpk then I add a notice when someone logs in saying that they are using a deprecated feature and should update if they can
#
gRegorLove Yeah, I got that idea from Teacup. I saw you could enable h-food
#
aaronpk that pattern seems to be working well
#
gRegorLove Which is also experimental, so made me question if the -x- is necessary.
#
aaronpk yeah I don't think i've done it the "right" way either
#
gRegorLove Would an -ibc- prefix be preferable to -x-?
#
aaronpk I don't think so
#
gRegorLove Ok
#
aaronpk that's a vendor prefix, but your tool isn't meant to be vendor-specific
[kevinmarks] joined the channel
#
aaronpk I use p3k- as a prefix for some things that are p3k-specific features like my "channels" of content
#
gRegorLove I like the deprecated feature notice idea. I'll probably do that.
#
KartikPrabhu right. the vendor-prefixes are sort of for internal use only
#
KartikPrabhu and most likely should not be consumed outside the application
snarfed, DenSchub, KartikPrabhu and renem joined the channel
#
@_am1t “State of Microsub Servers and Client” #newpost https://www.amitgawande.com/state-of-microsub/ (twitter.com/_/status/1017982144201809920)
[chrisaldrich], snarfed, trip_, barpthewire and TripFandango joined the channel
#
@mtk_ken23 家電店でポタアンにスマホを繋ぐためのOTG対応USBC-Microsubケーブル無いの?と訊いたら在庫は無いですねぇ、と。今時のスマホはUSBTypeCじゃないですか、と言ったらそりゃまぁそうなんですけどね、とか。 (twitter.com/_/status/1018044586139123712)
iasai and [jgmac1106] joined the channel
#
Zegnat gRegorLove, re: -x- prefix, I specifically opted to drop it for pronouns (https://wiki.zegnat.net/microformats/pronoun) after reading https://github.com/brentsimmons/JSONFeed/issues/19 and https://tools.ietf.org/html/rfc6648
#
Zegnat That latter RFC is specifically about deprecating X- prefixes for much the reason you state in your blog post: it is annoying for implementations when you get to the point where you drop the prefix from your thing in the future
#
Zegnat Some food for thought :)
deathrow1 joined the channel
#
[jgmac1106] https://files.slack.com/files-pri/T03QR2B2T-FBPT4P6D6/gotmetadata.gif?pub_secret=0b4aa556d5&name=gotmetadata.gif Why I like mf2 do you really need this much metadata? From Scalar
#
Zegnat That’s not even including schema.org, [jgmac1106] ;)
#
[jgmac1106] yeah I was trying to figure out where it comes from all the schema.org is there native this is if you want "extra"
#
Zegnat Can you fork and add options for mf2? ;)
#
[jgmac1106] .....yes but I could also just use plain html files much easier...which is the reason we are going to just use gDOCS to get book done. "Can you fork and add options for mf2? ;)" for the book sounds so much better than writing the book
#
[jgmac1106] after it is off to publisher we will explore, but I might move to scalar for all my long academic writing
#
Zegnat I was actually doing some HTML work on an EPUB I was reading after I noticed some terribly messed up headings last month. Plain HTML files are nice.
#
Zegnat What is Scalar?
#
Loqi Scalar is a free, open source authoring and publishing platform that’s designed to make it easy for authors to write long-form, born-digital scholarship online https://indieweb.org/Scalar
#
[jgmac1106] found the html to rdf: https://github.com/anvc/scalar/tree/master/system/application/rdf wouldn't be hard but porject for after book and grant are done
[wiobyrne], [jgmac1106], deathrow1, [mrkrndvs], [jgarber], sketchess, [kim_landwehr], tantek__ and davidmead joined the channel
#
sknebel hm, the changing endpoints cases are interesting. wonder if it makes sense for aperture to re-check the users homepage on token verification failure?
#
sknebel although that could easily create quite a few unnecessary requests
#
sknebel unless ratelimited etc, and that's another layer of complexity
barpthewire joined the channel
#
Zegnat It also feels a little iffy security wise, maybe? Presumably you want Aperture to check tokens with the token endpoint you register with it. For Aperture to automatically change that token endpoint on the back feels unexpected to me
#
sknebel I'd say: presumably you want Aperture to work, with the same configuration as your micropub client etc.
#
sknebel it storing the endpoint is a workaround because it can't know it any other way
#
sknebel well, not quite, it could look it up as I just mentioned. but it needs signup and per-user urls for that
#
sknebel I guess it's a better compromise to maybe have the error message point it out
#
aaronpk If you log in to aperture again it will find your new token endpoint
#
aaronpk I think that’s good enough
#
sknebel after asking in chat for help, and someone telling you that's a thing that works ;)
#
aaronpk I guess I could add a thing that checks your home page after a token failure, since it doesnt make a request to the token endpoint every request either
#
aaronpk Is that actually the problem that happened here tho?
#
sknebel see scrollback from #indieweb? likely two cases
#
aaronpk I think another thing I can do is make monocle return a more helpful message when it gets a 401 or 403
#
sknebel (we'll know once they report back)
snarfed, [miklb], [jgmac1106], KartikPrabhu, [wiobyrne], [jgarber] and [kim_landwehr] joined the channel
#
[kim_landwehr] That would be really helpful [aaronpk] for those of us who are code message challenge 😅
renem joined the channel
#
aaronpk i'm trying to figure out the best message to return in that case. technically monocle doesn't know anything other than something went wrong trying to use the token it got.
[grantcodes] joined the channel
#
[grantcodes] [eddie] out of interest how are you setting up your dynamic site? Node + a database?
[wiobyrne] and [eddie] joined the channel
#
[eddie] [grantcodes] probably a database at some point for caching. Right now I’m actually just fetching the posts dynamically from the Jekyll files right now. It’s a little slow but not unbearable
#
[eddie] My plan is to have this be the “default functionality” of the database becomes unavailable for any reason
#
[eddie] But if the database isn’t empty then it’ll use that for caching
#
[grantcodes] Hmmm interesting way to set it up, so the majority of your site will still remain static too?
#
[eddie] The goal is for the whole site to become dynamic as far as the views. But I want my canonical data to remain as static files (markdown, yaml, JSON)
#
[grantcodes] Cool. I think my new backend _may_ be able to do static files, not tried that yet though. I might just move to sqllite
#
aaronpk i've been really happy with the static file storage + DB index approach
#
[eddie] Yeah, the only thing I love about Jekyll is the storage model
#
sknebel I probably should retire my DIY-indexes at some point too
#
sknebel but for now they work
#
[eddie] Although I’m considering if I want to do yaml or JSON as the final data storage once I move completely off of Jekyll. I’ve read about some potential strangeness in Node.js about converting yaml and JSON a lot. So once I implement Micropub updates, I’m wondering if I wanna store data in mf2 json, rather than yaml
#
aaronpk I like yaml cause it's way easier to write by hand
#
aaronpk I suspect if you're sticking to mf2 yaml you won't have problems, because that's just objects, arrays and strings for everything
#
[eddie] Ohhhh that makes sense. Maybe the issues come in with the more complicated yaml
#
[eddie] I’m not a HUGE fan of white space having meaning, like in YAML. But I’ll probably stick with it until I find a major pain point.
#
[grantcodes] Huh and having only ever used micropub for content on my site, I feel I have no need for static files. But can see why others would like them
#
aaronpk I like how easy it is to back them up, move them around, and keep old versions in git
jjuran and barpthewire joined the channel
#
KartikPrabhu what is file-storage?
#
Loqi File Storage is the practice of storing main (primary) site content in flat files in a filesystem https://indieweb.org/file-storage
#
KartikPrabhu that ^
sketchess joined the channel
#
sketchess good morning tech coner
#
sketchess +r
#
sketchess Well, how do I start........
#
sketchess I lack of knowledge. Most tech articles don't address basic concepts needed and leaving me with more questions than answers.
#
KartikPrabhu pick one question to ask and then go from there
#
sketchess I am developing a static website. A good amount of content shell be able to download in the future. So security is in mind. I am aware of the existence of https encyption, which is currently not booked. In search of additional layers of security preperations, I came across xss, whitelisting.....
#
sketchess My goals is a pure HTML5 CSS project. So no scripts at all. Further highly accessible.
[wiobyrne] joined the channel
#
sketchess I remember that I saw a method to block scrips entirely nearly an year ago. Wonderded since, if script blocks could effect for example screen readers in any way.
#
sketchess +t
#
sketchess -d
#
sketchess I try to find and figure out security layers which are easy to implement by beginners and are beneficial.
#
Zegnat sketchess, as far as security goes, for a static site I think you have pretty much all you can do if you have HTTPS (as protection against man-in-the-middle attacks/hijacks of your content) and a content security policy (this lets you block other people from malliciously inserting javascript onto your website).
#
Zegnat But if you are just publishing HTML and CSS, there isn’t a whole lot of “security” to think about, honestly
#
sketchess Even through dowloading files like mp3?
#
Zegnat There isn’t a lot you can secure there. Unless you mean you want to put in access control (limit who can access and download the file)
#
Zegnat If someone tells their browser to download the URL of an MP3, there is really not much happening to secure. The browser requests the file from your server, and your server sends it to them. If you enable HTTPS, the communication between browser and server will be encrypted to outsiders can’t see what is happening. That’s about it.
#
sketchess How about websites which don't run HTTPS? I just have to ask.
#
Zegnat No HTTPS means the data between the browser and the webserver is readable by everyone on the network. (In very broad terms.)
#
Zegnat If there is no HTTPS, someone can see that I am downloading an MP3 file from your server. If there is no HTTPS, someone could intercept a page when it is travelling from your server to my browser and put different things on the page.
#
sketchess Like man in the middle, right?
#
Zegnat Yes
#
sketchess How vulnerable is HTTPS to XSS?
#
Zegnat They might put ads on there (I think some planes have done that?) or even cryptominers (that take my PCs CPU to earn money for the attacker). Or they could try browser exploits to get access to other things. Or, less dangerous for me as visitor but bad for you, could change your text to suddenly present extreme political points or something.
#
Zegnat XSS has nothing to do with HTTPS
#
Zegnat What is XSS?
#
Loqi https://indieweb.org/XSS
#
Zegnat No description, Loqi?
#
sketchess Cross Site Scripts....
[jgmac1106] joined the channel
#
Zegnat So, XSS is when I somehow get your site to execute code I have written. If you have a guestbook page, I might try to slip some javascript in there that attacks the next visitor.
#
Zegnat There is definitely some overlap with MitM. Since a MITM could choose to add some malicious scripting as well. But they are usually described as two different attacks because you attack two completely different things.
#
Zegnat MitM attacks the network transfer between server and browser, XSS is trying to get the site to run my code.
#
sketchess No search, no comments, no form fields etc. intended.....
#
Zegnat If you have no forms on your website, and you don’t have query parameters in the links (example: file.php?a=b), you don’t really have to worry about XSS
#
Zegnat And if you have no JavaScript of your own at all, you can actually add a short header to the server response that tells the browser to never run JavaScript on the page. That way, even if someone sneaks scripts onto your page, they never run! :D
#
Zegnat That would be done with a content security policy.
#
Zegnat What is CSP?
#
Loqi Content-Security-Policy (abbreviated CSP) is an HTTP directive that a site can use to restrict what external resources are retrieved by a browser, to mitigate some XSS and injection attacks https://indieweb.org/csp
#
sketchess Jep the script block I have my eyes on it for quite a long time. Sadly I tend to forget things I have known. Same goes with queris.
#
Zegnat No problem :) But that’s about as much of a security rundown as you would need. If you are responsible for the entire server, you probably want to look at firewalls, rate limiters, maybe fail2ban... But those aren’t really your responsibility if you are just putting a site online and have the server managed by a hosting company.
#
Zegnat Feel free to propose a website security talk on the next virtual HWC if you are attending, sketchess! We are always looking for topics and it might be an easy way to ask some specific questions :)
#
sketchess The letters CSP don't sound familiar yet.
#
Zegnat It is a very technical name. The HTTP header is called “Content-Security-Policy”, so abbreviation is CSP.
#
sketchess I already asked for it at main chat.
#
Zegnat Your website’s content security policy tells a browser from where it is allowed to load images, scripts, stylesheet, media, etc.
#
sketchess Would be for mine just selfmade conten.....
#
Zegnat So you can tell browsers that scripts shouldn’t be loaded from anywhere (not even from your own server!), stylesheets only from your own domain, and maybe you host images on flickr so you allow those from flickr.
#
sketchess +t
#
Zegnat Yes. You could just set the default to “self” and then browsers should only load assets from your domain and nowhere else.
#
sketchess What did the no script line looked like?
#
sketchess I didn't found it so far. It would have triggered memories.
jjuran and [kevinmarks] joined the channel
#
Zegnat sketchess: Content-Security-Policy: script-src 'none'
#
Zegnat Probably
#
Zegnat You could have something like `Content-Security-Policy: default-src 'self'; script-src 'none'`. So you, by default, only allow assets to load from your own domain (self), and do not allow scripts at all.
#
sketchess I honestly love it when you guys drop uncomplete lines. It always makes me laugh about myself. So which characters are still missing? Any <> ; ".......
#
sketchess Destination?
#
Zegnat Nothing is missing there.
#
Zegnat It is an HTTP header. They are always just a name, followed by a colon, followed by a value.
#
Zegnat And then they end with a line break
#
sketchess Aha.
#
Zegnat See the examples here: https://indieweb.org/CSP#Examples
#
Zegnat Someone also wrote some “why?” sections on that page, so you can read about why you might want to include them :)
#
Zegnat tantek++ for the why sections on /CSP! Great example of capturing reasons to do things from real usage rather than just the technical possilibities!
#
Loqi tantek has 39 karma in this channel (456 overall)
#
sketchess researching
KartikPrabhu joined the channel
#
Zegnat If you are on Apache hosting, you can probably create a .htaccess file to add a CSP. So just that one file with one line of code will be enough to up the security of your entire website :)
#
sketchess Hmm... different ways to implement it.... meta for example.....
#
sketchess I run on Apache...
#
Zegnat Yes, you can use a meta element. But I would recommend setting it once for the entire server so you can apply it to all pages at once.
#
Zegnat If your hosting provider doesn’t let you use .htaccess, then fallback to meta, would be my recommendation
#
Zegnat CSP << [https://hacks.mozilla.org/2016/02/implementing-content-security-policy/ Implementing Content Security Policy] by Mozilla Hacks covers the basics of implementing CSP, based on what they learned from implementing it on addons.mozilla.org
#
Loqi ok, I added "[https://hacks.mozilla.org/2016/02/implementing-content-security-policy/ Implementing Content Security Policy] by Mozilla Hacks covers the basics of implementing CSP, based on what they learned from implementing it on addons.mozilla.org" to the "See Also" section of /Content-Security-Policy https://indieweb.org/wiki/index.php?diff=49960&oldid=43994
#
sketchess If you won't have mentioned .htaccess, propably would have had a good amount of articles to search throught, not knowing what to look for.
#
Zegnat The article I just added to the wiki via the chat (on hacks.mozilla.org) is a pretty nice primer on how to set it up, I think. Also mentions how to add it on apache (htaccess), nginx, or the meta element.
#
Zegnat Hope to have given you much to read now ;) I am just getting my Kindle ready to have some nice stuff to read on tomorrow’s multi-hour drive myself.
#
sketchess Luckily I have access to .htaccess. I considered setting up a password once.
#
Zegnat Once you add a password, you probably want to consider looking into HTTPS even more, as you then have something being sent over the network that you want to keep secret
#
sketchess lets see, if I have the same mozilla site open xD
#
Zegnat Maybe you have, haha
#
Zegnat Mozilla has done a great job describing this webtech, at least for developers
#
sketchess No, I don't. Got another on through search.
#
sketchess +e
#
sketchess Just considered..... :D
#
sketchess Well if I can't get my hand around CSP and fail to do it correct, I can ask further Support or Indieweb(ers).
#
sketchess Good to have an easily achievable starting point.
KartikPrabhu joined the channel
#
sketchess Still wondering, if screen readers are somehow effected? Lack of knowledge how they work. (software)
#
KartikPrabhu sketchess: if your content is in HTML then screen readers should be fine
#
sknebel yeah, screenreaders should entirely use privileged APIs you can't restrict, so CSP etc shouldn't affect them
#
sknebel (that said, for a purely static site I can only think of very few benefits for CSP, so not sure I'd recommend spending time on it)
#
sketchess I hope one day all those very abstract concepts will become easier to process. (thoughts based)
#
KartikPrabhu sketchess: there really is no need to first try to understand all these things and then implment them. It is easier to implement first and iterate
#
sketchess It benefits my nights sleep sknebel.
#
sketchess That's why I hope even more, KartikPrabhu.
#
sketchess I have a great idea. Let us switch brains for a day. Can you handle a Ferrari?
#
sketchess The engine is ok, but for the rest I am giving no garanties. Hahaha
#
Loqi hahaha
#
KartikPrabhu if we swtich brains then it won't be very useful
#
KartikPrabhu also you really don't want my brain :P
#
sketchess I could say the same.
#
Zegnat Brains are messy, gooey things. I can’t wait to upgrade to silicon.
#
KartikPrabhu I'll keep my brain, thanks Zegnat
#
sketchess I thank the heavens for the log. Tomorrow I can reread the whole thing and shaking head by all I have missed.
#
sketchess Zegnat++
#
Loqi zegnat has 76 karma in this channel (259 overall)
#
Zegnat Feel free to ask more questions tomorrow sketchess. I’ll be in a car for ... I don’t know ... 5 hours? 6? Plenty of time to answer questions.
#
sketchess I always save the odd one. :D
#
sketchess So enough brain knots for today. Have a very lovely night and sleep.
#
sketchess bye
gRegorLove joined the channel
#
gRegorLove The IETF issues with -x- was mentioned briefly, though my takeaway was that with microformats better handles standardizing vs rejecting. https://chat.indieweb.org/microformats/2018-07-09#t1531178953998900
#
Loqi [gRegorLove] I thought there was some recent instance where that was recommended against?
#
gRegorLove My gut feeling is that `read-status` is likely to change at some point in the future, to some property that listen, watch, exercise, and maybe others can use, so I'm definitely leaning towards prefixing that one.
#
Zegnat Seems fine. I guess I am just not a fan of -x- in general. The mf standardising I think doesn’t really help it either. It is no longer experimental when you get multiple consumers using it? So you specifically want live implementations grokking -x-something before dropping the -x-. Which is exactly what the RFC people have seen is problematic, because it is hard to get live implementations to change.
#
Zegnat If you already know read-status is likely to change to a completely different name, that is less of an issue
#
Zegnat [insert huge amount of in-my-humble-opinion behind every period and comma]
#
gRegorLove "It is no longer experimental when you get multiple consumers using it?" This was my initial thinking, which is why I proposed adding those properties as proposed to h-entry. But really, a narrow use-case was driving it forward and I hadn't thought about re-use.
#
gRegorLove Heh, understood. I don't have strong opinions about it; just realized my understanding of the process to add microformat properties was lacking. Want to make sure I don't cause problems down the line.
[chrisaldrich] joined the channel
#
pstuifzand I just implemented Indieauth for the Microsub channels in Ekster. I can now easily connect indiepaper with Ekster and read articles in an Indiepapier channel.
#
aaronpk nice!
#
pstuifzand Aperture (the micropub part) is a great example of how Indieauth is something we actually need to have on more websites.
#
pstuifzand This makes it very easy (once implemented) to connect services to each other
#
pstuifzand I could see how this will make it possible for websites to send notifications to the microsub backend.
#
aaronpk yeah! I have a few things sending notifications into my notifications channel already
#
pstuifzand at the moment I only use it for webmentions, but I guess notifications are everywhere
#
KartikPrabhu webmentions are a kind of notification
#
pstuifzand and at some point the microsub server could generate it's own notifications
#
@pstuifzand Ekster now supports actual Indieauth to the Microsub channels. It's now possible for example to connect with http://indiepaper.io and "archive" pages to a channel. But of course the possibilities are endless. https://p83.nl/p/795 (twitter.com/_/status/1018267482015043585)
[jgmac1106] joined the channel
#
[jgmac1106] If anyone can take a look at the h-card example I wrote for [wiobyrne] in #wordpress be helpful. I got confused on difference between u-uid and u-url since the h-card was on a site different than his canonical url
snarfed joined the channel
#
sknebel replied there
KartikPrabhu joined the channel
#
[jgmac1106] Thx went back and forth on the two
#
@tamssokari https://aaronparecki.com/2018/06/30/11/your-first-webmention (twitter.com/_/status/1018282642767310848)