#dev 2020-01-25

2020-01-25 UTC
[tantek] joined the channel
#
[tantek]
Happy 2nd birthday (yesterday!) to W3C WebSub Recommendation, ActivityPub Recommendation, and IndieAuth Note!
jenelizabeth, superjen96, jjuran, tsrt^, chrisaldrich, [Michael_Beckwit, VinceG, VinceGhi, olivia, gRegorLove, nickodd, Giske and [dmitshur] joined the channel
#
[dmitshur]
for RelMeAuth (http://microformats.org/wiki/RelMeAuth), is it true that the rel=me link must be inside the body of an HTTP response (as part of the HTML), and there isn't a way to have a rel=me link included in HTTP headers?
#
Loqi
RelMeAuth is a proposed open standard for using rel-me links to profiles on OAuth supporting services to authenticate via either those profiles or your own site. RelMeAuth is the technology behind web-sign-in. Editor Tantek Çelik (http://tante...
swentel, gxt, Giske and [tantek] joined the channel
#
[tantek]
Yes. We never added http header support, no usecases
[KevinMarks], [jgmac1106], jeremych_, TGiske and Nuve joined the channel
#
jamietanna[m]
!tell snarfed if I were to omit links to bridgy publish to Twitter, would I still receive webmentions for responses to it? Or would it no longer work as its not replying / liking / etc that post?
#
Loqi
Ok, I'll tell them that when I see them next
[jgmac1106]1 joined the channel
[KevinMarks] and [tantek] joined the channel
#
[tantek]
jamietanna[m] Publish and backfeed are independent. you don't need links to bridgy publish for backfeed to work. in fact you can *only* sign up for backfeed if you like!
#
jamietanna[m]
Tantek yep that makes sense. I'm thinking more for the case where I syndicate a post to Twitter and want to have backfeed for any interactions, but want to remove the post URL from the tweet as its a little uglier than just the plain tweet content
#
swentel
I added a rel="feed" link tag to the homepage
#
swentel
and works fine
[jgmac1106], krychu, KartikPrabhu and nickodd joined the channel
#
[jgmac1106]
What is video?
#
Loqi
video is a type of post where the primary content is a video file (recorded movie, animation etc.) typically with audio, and has growing support on the indie web https://indieweb.org/video
#
[jgmac1106]
no examples with captions on that page
#
@IanGray99282359
↩️ Mini-Huygens type, or curiosity dangler spangler, or wide track rover for ice moons...kinetic dart from orbit to open hole for microsub..
(twitter.com/_/status/1221095594414039043)
[snarfed] joined the channel
#
[snarfed]
thanks swentel tantek! jamietanna they got it right, hope that helped
#
Loqi
[snarfed]: jamietanna[m] left you a message 3 hours, 20 minutes ago: if I were to omit links to bridgy publish to Twitter, would I still receive webmentions for responses to it? Or would it no longer work as its not replying / liking / etc that post?
#
jamietanna[m]
Thanks folks. Does that then expect that the `u-syndication` is the direct link to the syndicated content? If so I don't currently have that available so would need to implement first
[KevinMarks] joined the channel
#
[snarfed]
jamietanna right, either backlink in the silo post or u-syndication in the original post on your site
[dmitshur] joined the channel
#
[dmitshur]
> Yes. We never added http header support
#
[dmitshur]
[tantek] Thank you for confirming.
#
[dmitshur]
> no usecases
#
[dmitshur]
Have you considered the case of reducing the potential damage of forgetting to sanitize user-posted content on the page you use for signing in (via RelMeAuth)? If someone manages to inject a rel=me link, there’s a greater chance they can sign in via your domain unintentionally. Requering bidirectional account linking helps reduce that risk, but so does moving/copying rel=me links from body to headers.
#
[dmitshur]
Just wondering if this was considered in the past or not yet.
jeremych_ joined the channel
#
[dmitshur]
Whoops, bidirectional linking doesn’t help, since if they can inject a rel=me link that’s used, they can point to any OAuth provider they control and link it back to victim’s site.
#
[snarfed]
if you don't sanitize user-generated HTML that you render on your site, you have a ton of problems besides this one
#
[snarfed]
i think we'd encourage sanitizing to fix the root cause, instead of band-aids like this that address only one of many symptoms, and add complexity to a simple existing protocol to do it
nickodd joined the channel
#
[snarfed]
not to mention adding header support isn't enough, you'd probably also need to _drop_ rel=me link support, which would be a (probably unacceptable) breaking change
#
[dmitshur]
it’s possible to sanitize everything but forget to strip rel attributes from links. IndieAuth has support for putting authorization endpoint link in headers.
#
[snarfed]
i don't really have an opinion on whether to add header support to relmeauth. it's just a poor substitute for sanitizing user input, including rel links
#
[snarfed]
as a data point, the experience we've seen in the wild here with endpoint discovery is that everyone starts with just extracting them from HTML. later, only a subset of those people eventually extract them from headers too, and many get tripped up on parsing the Link: header
#
[dmitshur]
As long as headers take precedence over body, it may still help to be able to do that, because it’s easier to secure one’s http headers compared to a large dynamic page that changes more over time.
#
[dmitshur]
However, it won’t help people who don’t actively use their url for relmeauth. Only ones who use it actively and want to use a mechanism that is easier to have higher confidence in not having a hole.
#
[dmitshur]
Anyway, I’m not proposing any changes, I’m just collecting information for now. :)
#
[snarfed]
:thumbsup:
#
[snarfed]
tantek, kevinmarks, aaronpk, etc have decades of experience helping publishers support standards like these. simple generally wins. they're usually not deeply experienced engineers, so "small" (to us) differences in technical req'ts or capabilities really do make a difference
#
[snarfed]
also, one point that's been consistently convincing is that shared hosting providers often let you control your HTML but not (entirely) HTTP headers, and we have tons of people on shared hosts
#
[dmitshur]
Good points. I do think it’s very important to balance ease of use and security, because if something is easy to use insecurely, it can be a disservice and lead to unhappy compromised users.
#
[dmitshur]
As more data points:
#
[dmitshur]
• the IndieAuth client code I’ve written (and plan to publish as open source after finishing code review) implements looking at headers before body, that was one of the first things I wanted to implement correctly per spec.
#
[dmitshur]
• My current site uses links in <head> for both relme to GitHub and rel=authorization_endpoint, but I now plan to move the IndieAuth endpoint link into headers after thinking through the trade-offs. I can do this because indieauth supports it. I wish I could do it for relmeauth too but so far that’s not an option.
jjuran joined the channel
#
GWG
I am thinking about playing with relmeauth
#
aaronpk
[dmitshur]: i'm looking through your IndieAuth PR now
#
[dmitshur]
woohoo, thanks. looking forward to review comments.
chrisaldrich joined the channel
#
aaronpk
some of these are essentially typo fixes and i'd like to be able to merge those separately
#
[dmitshur]
yep, that's commits 2 and 3
#
GWG
There's an IndieAuth PR?
#
GWG
goes to look
#
aaronpk
ok actually i'll just leave review notes on this one
#
[dmitshur]
want me to break them out into a standalone PR? or 2 PRs? whatever is easier for you. I'm also fine if you just cherry-pick them into master.
#
[dmitshur]
GWG it's just typo fixes/terminology clarifications. https://github.com/indieweb/indieauth/pull/37/commits
#
GWG
Okay
#
GWG
I have been playing with IndieAuth fixes
#
GWG
I put in a PR to restore remote IndieAuth endpoint support, which I'd pulled previously
#
GWG
I am trying to figure out what considerations one should have when you declare an authorization endpoint on your site that is not part of said site.
#
aaronpk
[dmitshur]: ok i think i just have one real comment. added some notes to the PR
krychu joined the channel
#
[dmitshur]
I'm wondering, are you planning to merge the PR (when we get there) via rebase strategy? I'd like the commit messages of individual commits to be preserved rather than squashed into one blob.
#
[dmitshur]
so is it okay that I just rewrite history and force push the PR with an updated commit? (sorry, I'm really used to Gerrit's ability to send individual commits as separate CLs, and struggling to replicate that workflow with GitHub PRs lol)
#
aaronpk
i don't like rebasing
#
aaronpk
so if you want to change the commit messags you can just force push new commits
#
sivy
good am indieweb-dev
#
sivy
[KevinMarks]: thanks for the mention.tech link, I’ll check it out
#
[dmitshur]
so you plan to use "merge commit" strategy, right?
#
aaronpk
i forget what it's called but all the commit messages stay there
#
aaronpk
is not very good at git
#
sivy
that’s a simple merge
#
sivy
versus rebase (take HEAD and apply change in sequence over top) or squash (marge all changes into one commit, applied to HEAD)
#
sivy
hm, migh port cassis auto_link code to Go one of these days (not today :) )
sivy_ joined the channel
#
[dmitshur]
I personally enjoy the strategy of having individual commits (of high quality, after code review) rebased on top, without any merge commits. it makes reading git history a pleasure without the noise of "Merge pull request #58 from codec-abc/patch-1" commits.
#
sivy
Anyone know if webmenion.rocks supports updating mentions?
#
sivy
I've been working on my "source" page to figure out what is needed for nice menion previews to appear
#
aaronpk
yeah it should handle that fine
#
aaronpk
there's update tests too
#
aaronpk
like testing whether you support handling updated webmentions
#
aaronpk
but for the ones you're sending, if you re-send it to webmention.rocks it updates the existing one too
KartikPrabhu joined the channel
#
sivy
then I need t check my source
#
sivy
that's the page i'm using as my "source"
#
Loqi
[Webmention Rocks!] Discovery Test #1
#
aaronpk
here's a tutorial i wrote that slowly builds up a nice looking webmention reply by sending updates each time you make a change https://aaronparecki.com/2018/06/30/11/your-first-webmention
#
Loqi
[Aaron Parecki] Sending your First Webmention from Scratch
#
sivy
oh nice, thanks!
#
aaronpk
i just sent one manually to https://webmention.rocks/test/4 and it has your name showing up now
#
Loqi
[Webmention Rocks!] Discovery Test #4
#
sivy
nice, looking at the tutorial now too
#
aaronpk
wow i thought i had some limit of how much of a comment i show on my posts, but there's a super long reply from chrisaldrich on that post and it's a bit excessive
#
GWG
aaronpk: Another discussion there... how do you trim your replies?
#
aaronpk
i apparently don't
#
sivy
apparently deciding how much of a post to show is a common problem - I've been fighting some with what to do in my cross-posting code in goldfrog
#
aaronpk
i did make a change a while ago to show only the name of the post if there is a name, so i don't show any text of full blog posts as comments anymore
#
sivy
to the point that I'm almost reayd to support wordpress-style <-!--break--> comments
#
aaronpk
but if it's just a "note" then right now i guess i show the full text, which is fine for short notes, but when someone posts a "note" with multiple paragraphs then it's a bit weird
#
aaronpk
i swear i thought i had some code in there that decides to show only some number of paragraphs tho
#
sivy
yeah, "note" is hard to grok right now, especially as mastodon supports long 500+ character posts, and i'd like to take advantage in some cases
#
aaronpk
what is a note?
#
Loqi
A note is a post that is typically short unstructured* plain text, written & posted quickly, that has its own permalink page https://indieweb.org/note
#
aaronpk
it's also the sort of fallback case if a post doesn't match any other type in post type discovery
#
aaronpk
if the post has a "name" property, then it's an article... etc etc etc... else it's a note
#
sivy
note v. article on monkinetic: http://monkinetic.blog/2020/01/23/
#
sivy
yeah goldfrog uses no-title v. has-title as well
#
[dmitshur]
[aaronpk] I've addressed your existing comments. I gotta head out for https://events.indieweb.org/2020/01/indieweb-meetup-nyc-3Ss2mFU4CVfj so I'll look more after (or during) that
#
aaronpk
great!
#
GWG
I am thinking about it as one of my many projects is improving webmentions
#
GWG
wonders why he keeps jumping from thing to thing
TGiske, petermolnar, KartikPrabhu and [jgmac1106] joined the channel
#
[jgmac1106]
swentel++
#
Loqi
swentel has 20 karma in this channel over the last year (33 in all channels)
jjuran and [tantek] joined the channel
#
sivy
aaronpk is there a <link> version of u-image microformat? I don't want a pic of myself on every single page but want the author image discoverable
#
sivy
or can i just to <link class="u-image" href="...">
#
aaronpk
Microformats doesn't care about what html tag you use
#
aaronpk
you can do that or <data>, or you can have your author property of the h-entry actually just link to your home page that has the image on it
#
sivy
thanks
#
sivy
learning things is a hell of a rug :P
#
sivy
also, drug
#
sivy
<link class="u-photo" href="http://monkinetic.blog/static/images/sivy_avatar_256.png">
#
sivy
we'll see if that works
#
aaronpk
It does need to be inside the html element containing the h-card class still, I don't remember what HTML says about where <link> tags can live, but also it probably doesn't matter too much anyway cause browsers are very forgiving
KartikPrabhu, [schmarty], gRegorLove and [KevinMarks] joined the channel
#
sivy
aaronpk - ahh ok
nsh joined the channel
#
aaronpk
hm i thought we had this advice written somewhere
#
aaronpk
i would have expected to find it here, but this is very incomplete https://indieweb.org/authorship#How_to_publish
#
aaronpk
it just occurred to me that i should link to indieauth.net from the old indieauth.com site 🤦
#
aaronpk
cause indieauth.com is still the first search result for indieauth
sivy-phone joined the channel
#
aaronpk
and people still mistake indieauth.com for the whole concept of indieauth
#
GWG
aaronpk: How is your plan to deprecate indieauth.com?
#
aaronpk
indielogin.com is stable though so that's good news
#
aaronpk
but i need to come up with some way for other people to use it in their projects. i'm trying to make some form of developer registration system for it
#
GWG
aaronpk: What do I do for WordPress though?
#
aaronpk
for what?
#
GWG
aaronpk: If I want to support people who don't want to use my endpoint?
#
aaronpk
which case specifically? cause there are like 8 different things people want
#
GWG
aaronpk: They want to be able to use Micropub with their site, but they don't want auth built in
#
GWG
Oddly enough, often because they conflate IndieAuth with the delegated login indieauth.com does
#
aaronpk
i am still confused why someone would want that
#
aaronpk
there are fewer moving parts when it's all built in to the site, less setup, less different UIs they encounter when using it, etc
#
GWG
aaronpk: Me too
#
aaronpk
IMO you should push back and just not support that case
#
GWG
I think when they see the WordPress login, they get confused about what's going on.
#
aaronpk
that said, the question of whether someone wants to log in to their own wordpress site with a wordpress password or external twitter/github thing is a completely separate issue
#
GWG
aaronpk" I'm bringing remote endpoints back for a use case requested, which is to support a single IndieAuth endpoint fr multiple WordPress sites.
#
GWG
aaronpk" I agree.
#
aaronpk
but the indieauth authorization part which shows the requested scopes and such should stay built in to wordpress
#
GWG
Also, I need to allow my token endpoint to issue tokens for non-remote sources to support Auto Auth
#
GWG
non-local, excuse me.
#
aaronpk
yes that is also a separate thing
[jeremycherfas] joined the channel
#
GWG
aaronpk: That's why I was asking about delegating your authorization endpoint. The request to have a single endpoint handling multiple WordPress sites.
#
aaronpk
that wasn't my understanding of the request
#
aaronpk
i thought it was about wanting to log in to one wordpress site by using accounts that live in the other
#
GWG
aaronpk: There are several different ones
#
GWG
For example, there are people who just don't wan to self-host it.
#
GWG
There's another group I want to be more aggressive with...people who install it who don't use HTTPS
#
GWG
Then there is a group who wants to only host/manage one for multiple sites.
#
aaronpk
this is why i suggested writing out all of the use cases on that wiki page, otherwise it's a lot to try to remember every time a discussion happens
#
GWG
I had that request most recently from someone who wanted to have their Yarns Microsub plugin on a subdomain to keep their bookmarks separate.
#
GWG
Also probably means Micropub should support mp-destination..though how that would work with separate installs of WordPress I'm not sure
#
GWG
Also, just as surprised as you that someone doesn't want to use the built-in endpoint. Although I have a lot of things I do want to do to enhance it.
#
GWG
I've been reading OAuth RFCs and the IndieAuth spec for things I missed
#
aaronpk
speaking of oauth, i really need to catch up on my oauth work
#
GWG
I'm looking at this use case. But instead of a rel=me link to Twitter and Github, it's rel=me between the user url on the group site and the single site.
#
aaronpk
i think the rel=me is complicating things
#
aaronpk
i don't think you gain anything by using it in this case, and you're better off defining the links internally on both sites
#
aaronpk
[dmitshur]: i just published an update here! thanks! https://indieauth.spec.indieweb.org/
#
Loqi
[Aaron Parecki] IndieAuth
#
GWG
aaronpk: What do you mean by internally?
#
aaronpk
GWG: like both sides should already know that information and i don't think you need the actual rel=me link in the HTML for it to work
swentel joined the channel
#
jamietanna[m]
Re rebase strategy with GitHub - if there are multiple commits on a PR it's much harder to revert the whole thing at once, compared to a merge commit. I think for FOSS it makes more sense when you want to more easily pull things out
[dmitshur] joined the channel
#
[dmitshur]
[aaronpk] Thank you so much for reviewing and merging! This is so cool to see 😄
#
[dmitshur]
Does anyone know if there is some spec that permits including the charset when using `application/json` content type?
#
[dmitshur]
According to https://www.ietf.org/rfc/rfc4627.txt there are no required nor optional parameters for it.
#
[dmitshur]
In contrast, https://www.iana.org/assignments/media-types/text/html defines `charset` as an optional parameter.
#
[dmitshur]
> Note: No "charset" parameter is defined for this registration.
#
[dmitshur]
However, I see that https://www.ietf.org/rfc/rfc4627.txt notes at the bottom:
#
[dmitshur]
> Adding one really has no effect on compliant recipients.
#
[dmitshur]
Thoughts on where I should look for what it takes to be a "compliant recipient"?
#
[dmitshur]
It's probably going to be whatever spec defines the Content-Type HTTP header; I should look for that.
#
aaronpk
I think that's because JSON encoding is always UTF-8
#
[dmitshur]
yeah; the problem I'm working on resolving is I've started out being very strict in my implementation of IndieAuth client authz code verification (https://indieauth.spec.indieweb.org/#authorization-code-verification) and required Content-Type to match exactly "application/json". [schmarty] tried signing in via indieauth.net and another provider and found one was sending "application/json;charset=UTF-8" and another "application/json;
#
[dmitshur]
charset=utf-8". before I relax my error checking, I want to find justification in a spec that says I must permit (and in this case, ignore) a charset parameter when media type is "application/json"
#
jamietanna[m]
!tell aaronpk https://github.com/aaronpk/XRay/pull/94 is fixed and ready for re-review :)
#
Loqi
Ok, I'll tell them that when I see them next
#
Loqi
[jamietanna] #94 Add support for parsing MF2 JSON
#
aaronpk
[dmitshur]: i think this goes back to the idea of being liberal in what you expect. technically it's incorrect to send a charset with a content type of application/json. so that implies you should ignore the charset when recognizing the content type
#
Loqi
aaronpk: jamietanna[m] left you a message 1 minute ago: https://github.com/aaronpk/XRay/pull/94 is fixed and ready for re-review :)
#
[dmitshur]
my personal strategy is different; I prioritize being strict about what I accept (i.e., when there's a spec, I choose to implement spec as is and not accept input that the spec doesn't allow), and reporting quality errors.
#
[dmitshur]
to encourage bad implementations to fix themselves and implement specs correctly.
#
[dmitshur]
I can't do this at work, but I can for my personal projects, because I prioritize correctness over number of users 😛
#
[dmitshur]
but I need to understand the spec before I can afford to be strict
krychu and jenelizabeth joined the channel
#
jamietanna[m]
Dmitshur looking at the RFC for content-type its allowed to have the charset. Maybe we can say something around allowing it to be a well-formed content-type including charset, but Schmarty's request was definitely valid! https://tools.ietf.org/html/rfc7231#section-3.1.1.1
#
jamietanna[m]
I hit this issue recently at work where a team was doing manual checking instead of letting it be picked up more efficiently by the HTTP library, but it's good to see more examples of issues with implementing, hopefully we can see if there's something we can do to clarify it?
[KevinMarks] joined the channel
#
[KevinMarks]
if they pass something other than utf8 will you reject it?
superjen96 joined the channel
#
aaronpk
some examples of this confusion elsewhere: https://github.com/request/request/issues/383
#
Loqi
[thesmart] #383 add "charset=utf-8" to content-type "application/json"
#
Loqi
[jweboy] #928 When I set header to 'application/json; charset=utf-8', I got TypeError with payload.
clhendricksbc joined the channel
#
aaronpk
jamietanna[m]: awesome thanks, i'll take a look hopefuly a bit later today
#
[KevinMarks]
https://tools.ietf.org/html/rfc4627 section3 says work out encoding from the 1st 4 bytes. https://tools.ietf.org/html/rfc7159#page-9 omits this. Yay
[tantek], chrisaldrich, krychu, Mabo and [LewisCowles] joined the channel; nickodd left the channel
#
[LewisCowles]
JSON to only ever have escaped unicode FTW
[Michael_Beckwit joined the channel
#
[LewisCowles]
https://portswigger.net/research/json-hijacking-for-the-modern-web was an interesting side-line from a github issue someone linked