[Rose]!tell eddie, would you be open to a pull request to add colour theming to Indigenous? (I would love to be able to change that orange, and offering a few built in theme colours with a switcher and matching icons might be nice)
[jgmac1106][tantek] from main channel...yeah I even thought about Fun little easter egg prizes...just needed an emoji mapped to each post type...really could work with any set of feeds not just microblog come to think of it...may not even need mapping if the unicode is linked on websites
[jgmac1106]in a different note I need to figure out how to reset caching when I update the nav in my class websites. Students sometimes miss updates for long time
[jgarber]Halting sending in that circumstance makes sense. Does similar logic apply to any of the other IndieWeb-ish endpoints (e.g. `authorization_endpoint`, `token_endpoint`, `redirect_uri`, `micropub`)?
[jgarber]The Webmention spec outlines a circumstance where a malicious website might advertise a Webmention endpoint on `localhost`, `127.0.0.0/8`, etc. which could cause a sender to POST to itself.
[jgarber]The IndieAuth spec outlines how a client should verify `redirect_uri`, but I couldn’t tell if any of the other endpoints had similar security concerns.
ZegnatBut will have to have a slightly longer think about it. E.g. you post to micropub endpoints the same way as you do to webmentions, so that could have the same issue.
[jgarber]> When the sender discovers the receiver’s Webmention endpoint, there are few legitimate reasons for the endpoint to be localhost or any other loopback address.
ZegnatNo, I mean, you may not need to verify loopback because you are redirecting the UA to that URL. So it would be up to the UA not to load it if loopback is an issue.
sknebel(basic example: if I host a public thing from inside a protected network, and only have a hole for that thing poked into the firewall, someone being able to coerce it into accessing internal URLs and "helpfully" reporting error responses isn't wanted. If I run a bunch of e.g. known instances in a university network it'd be a shame if they didn't talk to each other because "internal network, not secure")
sknebelthere's the topic of problems with url parsers and fetching libraries too, e.g. I think if you use libcurl in some scenarios you can give it specially crafted urls that you can use to have mit make almost arbitrary network requests
[jgarber]Where the `reject` option is an array of either strings or regular expressions matching host names that the discovery client should _not_ return in the result set.
ZegnatMine can return the IP address it checked so I can force the request in the next step to go to the same IP (no chance for DNS poisoning between discovery and usage)
[tantek]I really like the "Local-first" framing of this article (I'm still cautious about CRDTs) - however all the local / user-model analyses in the article IMO apply to everything IndieWeb as well: https://www.inkandswitch.com/local-first.html
LoqiIt looks like we don't have a page for "local first" yet. Would you like to create it? (Or just say "local first is ____", a sentence describing the term)
Loqioffline first is a method of developing a website that once a user has visited it once on their device, it will always provide at least some content (posts) and or features (like creating posts) when they revisit even without internet access, using technologies like Service Workers and Local Storage https://indieweb.org/offline_first
ZegnatIf you want a walkthrough of the code, happy to provide. But basically the first two it's are if the host itself is an IP, and the last else is to resolve DNS otherwise. After establishing IP, uses build in validator of PHP to make sure those IPs are acceptable.
[jgarber]Thanks! I was able to divine the meaning of the constants with some clever searching. PHP’s got some handy utilities for matching IP patterns.
[jgarber]> It is recommended that the Webmention sender uses this information for posting the mention. Use one of the checked IP addresses to post to (instead of the domain, which might redo the DNS lookup) with the host in a `Host` HTTP header.
ZegnatSometimes it is a little tricky to do this though. E.g. curl still needs the domain based URL to make HTTPS work, so you need a separate option to tell curl not to resolve the domain name and define the resolved ip yourself.
ZegnatI haven't done any special protection against that. I looked at the DNS / IP issue, but it uses a PHP URL parser so the checked URL may suddenly point elsewhere when pit into your http lib...
sknebel(as in, if your webmention processing runs in an extra process and you're on your own server, you can firewall it from accessing any weird ports or local IPs)
[jgarber]Okay, that’s what I suspected (re: scheme). Not sure what to make of possible TLS errors. Will have to play around with the HTTP library I’m using.
ZegnatMy working around is purely about resolving the domain and DNS poisoning between DNS check and making the request. Has nothing to do with the URL parsers, and is instead about the loopback IPs section from the spec.
aaronpkthat slide deck is relevant though because if you think you're checking for a loopback IP in your first step but your HTTP client is then parsing the input URL itself, you've introduced that problem described
gRegorLove_, [eddie] and [jgmac1106] joined the channel
sknebelsure, it's a weakness of that mechanism (potentially, depends on how exactly the fetch is done), but doing the check like Zegnat's code doesn't make it worse - it still eliminates some vectors
[jgarber]The Micropub and Webmention specs make no reference to endpoints with fragments. The IndieAuth spec mentions prohibiting fragments in URLs pursuant to profile URLs and client identifiers.
jackyyeah fragments / anchors are interesting for reading information but for sending a request? that seems a bit weird (aka not conventionally used in requests)
aaronpkdoes HTTP say anything about POST requests and fragment URLs? cause that doesn't really make sense at all and isn't something we should need to define in every spec
[jgarber]I agree with the sentiment that a URL with a fragment isn’t super useful. Where it’s mentioned in the specs, it’s obvious that endpoints cann’t contain fragments which I infer to mean that a discovery client would flat out drop those URLs on the floor and return either no endpoint found or a different endpoint if multiple are specified.
[manton]@GWG Yes, the issue was WordPress using SVGs (icons like the location icon) without any width/height in the HTML. I added some CSS to parts of Micro.blog to make that icon small again. I personally think all img tags should have width/height when they are in feeds, because you can't rely on any default CSS when it's a feed.
@johnchidgey↩️ Anyone that’s followed your work Marco would know this before asking. I have a similar opinion of WebMention/ActivityPub for blog entries, which is why I haven’t set that up either. (twitter.com/_/status/1125549815792787456)
[jgmac1106] [tantek] from main channel...yeah I even thought about Fun little easter egg prizes...just needed an emoji mapped to each post type...really could work with any set of feeds not just microblog come to think of it...may not even need mapping if the unicode is linked on websites
[calumryan] Yay! 66.0.4 update rolled-out and my Firefox extensions are back
[jgarber] The section from the spec: https://www.w3.org/TR/webmention/#avoid-sending-webmentions-to-localhost
sknebel (basic example: if I host a public thing from inside a protected network, and only have a hole for that thing poked into the firewall, someone being able to coerce it into accessing internal URLs and "helpfully" reporting error responses isn't wanted. If I run a bunch of e.g. known instances in a university network it'd be a shame if they didn't talk to each other because "internal network, not secure")
Zegnat See also the slightly newer experimental branch: https://github.com/Zegnat/php-webmention-endpoint-discovery/blob/iwc-nyc/src/SecureEndpointDiscovery.php
[tantek] I really like the "Local-first" framing of this article (I'm still cautious about CRDTs) - however all the local / user-model analyses in the article IMO apply to everything IndieWeb as well: https://www.inkandswitch.com/local-first.html
Loqi It looks like we don't have a page for "local first" yet. Would you like to create it? (Or just say "local first is ____", a sentence describing the term)
[manton] @GWG Yes, the issue was WordPress using SVGs (icons like the location icon) without any width/height in the HTML. I added some CSS to parts of Micro.blog to make that icon small again. I personally think all img tags should have width/height when they are in feeds, because you can't rely on any default CSS when it's a feed.
@bitworking Webmention on Google Cloud Run: https://bitworking.org/news/2019/05/webmention-on-google-cloud-run (twitter.com/_/status/1125545560939933697)
@johnchidgey ↩️ Anyone that’s followed your work Marco would know this before asking. I have a similar opinion of WebMention/ActivityPub for blog entries, which is why I haven’t set that up either. (twitter.com/_/status/1125549815792787456)