#dev 2020-01-25
2020-01-25 UTC
[tantek] joined the channel
jenelizabeth, superjen96, jjuran, tsrt^, chrisaldrich, [Michael_Beckwit, VinceG, VinceGhi, olivia, gRegorLove, nickodd, Giske and [dmitshur] joined the channel
# [dmitshur] for RelMeAuth (http://microformats.org/wiki/RelMeAuth), is it true that the rel=me link must be inside the body of an HTTP response (as part of the HTML), and there isn't a way to have a rel=me link included in HTTP headers?
# Loqi RelMeAuth is a proposed open standard for using rel-me links to profiles on OAuth supporting services to authenticate via either those profiles or your own site.
RelMeAuth is the technology behind web-sign-in.
Editor
Tantek Çelik (http://tante...
swentel, gxt, Giske and [tantek] joined the channel
[KevinMarks], [jgmac1106], jeremych_, TGiske and Nuve joined the channel
# jamietanna[m] !tell snarfed if I were to omit links to bridgy publish to Twitter, would I still receive webmentions for responses to it? Or would it no longer work as its not replying / liking / etc that post?
[jgmac1106]1 joined the channel
# @aviansblog Checking Webmention adoption rate: https://www.tablix.org/~avian/blog/archives/2020/01/checking_webmention_adoption_rate/ (twitter.com/_/status/1221066002441613314)
[KevinMarks] and [tantek] joined the channel
# jamietanna[m] Tantek yep that makes sense. I'm thinking more for the case where I syndicate a post to Twitter and want to have backfeed for any interactions, but want to remove the post URL from the tweet as its a little uglier than just the plain tweet content
# swentel https://brid.gy/about#link is how it works
[jgmac1106], krychu, KartikPrabhu and nickodd joined the channel
# [jgmac1106] What is video?
# Loqi video is a type of post where the primary content is a video file (recorded movie, animation etc.) typically with audio, and has growing support on the indie web https://indieweb.org/video
# [jgmac1106] no examples with captions on that page
# @IanGray99282359 ↩️ Mini-Huygens type, or curiosity dangler spangler, or wide track rover for ice moons...kinetic dart from orbit to open hole for microsub.. (twitter.com/_/status/1221095594414039043)
[snarfed] joined the channel
# jamietanna[m] Thanks folks. Does that then expect that the `u-syndication` is the direct link to the syndicated content? If so I don't currently have that available so would need to implement first
[KevinMarks] joined the channel
[dmitshur] joined the channel
# [dmitshur] > Yes. We never added http header support
# [dmitshur] [tantek] Thank you for confirming.
# [dmitshur] > no usecases
# [dmitshur] Have you considered the case of reducing the potential damage of forgetting to sanitize user-posted content on the page you use for signing in (via RelMeAuth)? If someone manages to inject a rel=me link, there’s a greater chance they can sign in via your domain unintentionally. Requering bidirectional account linking helps reduce that risk, but so does moving/copying rel=me links from body to headers.
# [dmitshur] Just wondering if this was considered in the past or not yet.
jeremych_ joined the channel
# [dmitshur] Whoops, bidirectional linking doesn’t help, since if they can inject a rel=me link that’s used, they can point to any OAuth provider they control and link it back to victim’s site.
nickodd joined the channel
# [dmitshur] it’s possible to sanitize everything but forget to strip rel attributes from links. IndieAuth has support for putting authorization endpoint link in headers.
# [dmitshur] As long as headers take precedence over body, it may still help to be able to do that, because it’s easier to secure one’s http headers compared to a large dynamic page that changes more over time.
# [dmitshur] However, it won’t help people who don’t actively use their url for relmeauth. Only ones who use it actively and want to use a mechanism that is easier to have higher confidence in not having a hole.
# [dmitshur] Anyway, I’m not proposing any changes, I’m just collecting information for now. :)
# [dmitshur] Good points. I do think it’s very important to balance ease of use and security, because if something is easy to use insecurely, it can be a disservice and lead to unhappy compromised users.
# [dmitshur] As more data points:
# [dmitshur] • the IndieAuth client code I’ve written (and plan to publish as open source after finishing code review) implements looking at headers before body, that was one of the first things I wanted to implement correctly per spec.
# [dmitshur] • My current site uses links in <head> for both relme to GitHub and rel=authorization_endpoint, but I now plan to move the IndieAuth endpoint link into headers after thinking through the trade-offs. I can do this because indieauth supports it. I wish I could do it for relmeauth too but so far that’s not an option.
jjuran joined the channel
# [dmitshur] woohoo, thanks. looking forward to review comments.
chrisaldrich joined the channel
# [dmitshur] yep, that's commits 2 and 3
# [dmitshur] want me to break them out into a standalone PR? or 2 PRs? whatever is easier for you. I'm also fine if you just cherry-pick them into master.
# [dmitshur] GWG it's just typo fixes/terminology clarifications. https://github.com/indieweb/indieauth/pull/37/commits
krychu joined the channel
# [dmitshur] I'm wondering, are you planning to merge the PR (when we get there) via rebase strategy? I'd like the commit messages of individual commits to be preserved rather than squashed into one blob.
# [dmitshur] so is it okay that I just rewrite history and force push the PR with an updated commit? (sorry, I'm really used to Gerrit's ability to send individual commits as separate CLs, and struggling to replicate that workflow with GitHub PRs lol)
# sivy good am indieweb-dev
# sivy [KevinMarks]: thanks for the mention.tech link, I’ll check it out
# [dmitshur] so you plan to use "merge commit" strategy, right?
# sivy that’s a simple merge
# sivy versus rebase (take HEAD and apply change in sequence over top) or squash (marge all changes into one commit, applied to HEAD)
# sivy hm, migh port cassis auto_link code to Go one of these days (not today :) )
sivy_ joined the channel
# [dmitshur] I personally enjoy the strategy of having individual commits (of high quality, after code review) rebased on top, without any merge commits. it makes reading git history a pleasure without the noise of "Merge pull request #58 from codec-abc/patch-1" commits.
# [dmitshur] at least GitHub makes it a easier to see the diff after a force push now. e.g. https://github.com/indieweb/indieauth/compare/71314f6f2da22aeddbda75bc954aa20b848916b1..e96a9bfaf091992769d05d111d2c39950032aa23
# sivy Anyone know if webmenion.rocks supports updating mentions?
# sivy I've been working on my "source" page to figure out what is needed for nice menion previews to appear
KartikPrabhu joined the channel
# sivy then I need t check my source
# sivy aaronpk - http://monkinetic.blog/static/webmention.html
# sivy that's the page i'm using as my "source"
# aaronpk here's a tutorial i wrote that slowly builds up a nice looking webmention reply by sending updates each time you make a change https://aaronparecki.com/2018/06/30/11/your-first-webmention
# sivy oh nice, thanks!
# aaronpk i just sent one manually to https://webmention.rocks/test/4 and it has your name showing up now
# sivy nice, looking at the tutorial now too
# sivy apparently deciding how much of a post to show is a common problem - I've been fighting some with what to do in my cross-posting code in goldfrog
# sivy to the point that I'm almost reayd to support wordpress-style <-!--break--> comments
# sivy yeah, "note" is hard to grok right now, especially as mastodon supports long 500+ character posts, and i'd like to take advantage in some cases
# Loqi A note is a post that is typically short unstructured* plain text, written & posted quickly, that has its own permalink page https://indieweb.org/note
# sivy note v. article on monkinetic: http://monkinetic.blog/2020/01/23/
# sivy yeah goldfrog uses no-title v. has-title as well
# [dmitshur] [aaronpk] I've addressed your existing comments. I gotta head out for https://events.indieweb.org/2020/01/indieweb-meetup-nyc-3Ss2mFU4CVfj so I'll look more after (or during) that
TGiske, petermolnar, KartikPrabhu and [jgmac1106] joined the channel
# [jgmac1106] swentel++
jjuran and [tantek] joined the channel
# sivy aaronpk is there a <link> version of u-image microformat? I don't want a pic of myself on every single page but want the author image discoverable
# sivy or can i just to <link class="u-image" href="...">
# sivy thanks
# sivy learning things is a hell of a rug :P
# sivy also, drug
# sivy <link class="u-photo" href="http://monkinetic.blog/static/images/sivy_avatar_256.png">
# sivy we'll see if that works
KartikPrabhu, [schmarty], gRegorLove and [KevinMarks] joined the channel
# sivy aaronpk - ahh ok
nsh joined the channel
# aaronpk i would have expected to find it here, but this is very incomplete https://indieweb.org/authorship#How_to_publish
sivy-phone joined the channel
[jeremycherfas] joined the channel
# aaronpk [dmitshur]: i just published an update here! thanks! https://indieauth.spec.indieweb.org/
swentel joined the channel
# jamietanna[m] Re rebase strategy with GitHub - if there are multiple commits on a PR it's much harder to revert the whole thing at once, compared to a merge commit. I think for FOSS it makes more sense when you want to more easily pull things out
[dmitshur] joined the channel
# [dmitshur] [aaronpk] Thank you so much for reviewing and merging! This is so cool to see 😄
# [dmitshur] Does anyone know if there is some spec that permits including the charset when using `application/json` content type?
# [dmitshur] According to https://www.ietf.org/rfc/rfc4627.txt there are no required nor optional parameters for it.
# [dmitshur] In contrast, https://www.iana.org/assignments/media-types/text/html defines `charset` as an optional parameter.
# [dmitshur] > Note: No "charset" parameter is defined for this registration.
# [dmitshur] However, I see that https://www.ietf.org/rfc/rfc4627.txt notes at the bottom:
# [dmitshur] > Adding one really has no effect on compliant recipients.
# [dmitshur] Thoughts on where I should look for what it takes to be a "compliant recipient"?
# [dmitshur] It's probably going to be whatever spec defines the Content-Type HTTP header; I should look for that.
# [dmitshur] It may be here: https://tools.ietf.org/html/rfc7231#section-3.1.1.1
# [dmitshur] yeah; the problem I'm working on resolving is I've started out being very strict in my implementation of IndieAuth client authz code verification (https://indieauth.spec.indieweb.org/#authorization-code-verification) and required Content-Type to match exactly "application/json". [schmarty] tried signing in via indieauth.net and another provider and found one was sending "application/json;charset=UTF-8" and another "application/json;
# [dmitshur] charset=utf-8". before I relax my error checking, I want to find justification in a spec that says I must permit (and in this case, ignore) a charset parameter when media type is "application/json"
# jamietanna[m] !tell aaronpk https://github.com/aaronpk/XRay/pull/94 is fixed and ready for re-review :)
# Loqi aaronpk: jamietanna[m] left you a message 1 minute ago: https://github.com/aaronpk/XRay/pull/94 is fixed and ready for re-review :)
# [dmitshur] my personal strategy is different; I prioritize being strict about what I accept (i.e., when there's a spec, I choose to implement spec as is and not accept input that the spec doesn't allow), and reporting quality errors.
# [dmitshur] to encourage bad implementations to fix themselves and implement specs correctly.
# [dmitshur] I can't do this at work, but I can for my personal projects, because I prioritize correctness over number of users 😛
# [dmitshur] but I need to understand the spec before I can afford to be strict
krychu and jenelizabeth joined the channel
# jamietanna[m] Dmitshur looking at the RFC for content-type its allowed to have the charset. Maybe we can say something around allowing it to be a well-formed content-type including charset, but Schmarty's request was definitely valid! https://tools.ietf.org/html/rfc7231#section-3.1.1.1
# jamietanna[m] I hit this issue recently at work where a team was doing manual checking instead of letting it be picked up more efficiently by the HTTP library, but it's good to see more examples of issues with implementing, hopefully we can see if there's something we can do to clarify it?
[KevinMarks] joined the channel
# [KevinMarks] if they pass something other than utf8 will you reject it?
superjen96 joined the channel
# aaronpk some examples of this confusion elsewhere: https://github.com/request/request/issues/383
clhendricksbc joined the channel
# [KevinMarks] https://tools.ietf.org/html/rfc4627 section3 says work out encoding from the 1st 4 bytes. https://tools.ietf.org/html/rfc7159#page-9 omits this. Yay
[tantek], chrisaldrich, krychu, Mabo and [LewisCowles] joined the channel; nickodd left the channel
# [LewisCowles] JSON to only ever have escaped unicode FTW
[Michael_Beckwit joined the channel
# [LewisCowles] https://portswigger.net/research/json-hijacking-for-the-modern-web was an interesting side-line from a github issue someone linked