#dev 2020-12-17

2020-12-17 UTC
[eddie], [snarfed], [tantek], NinjaTrappeur, djmoch, petermolnar, voxpelli, genehack, danyao, mattl, MylesBraithwaite, shrysr, sebsel, geoffo, ShadowKyogre, shoesNsocks, [schmarty], hirusi, [Kevin_Faaborg], gxt, schmudde, jeremycherfas, [jgmac1106] and [KevinMarks] joined the channel; ShadowKyogre left the channel
# 13:35 
@devgummibeer Thanks to @sebdedeyne and @freekmurze posts I know about http://webmentions.io and was able to add them to my own… https://twitter.com/i/web/status/1339559387220893696 (twitter.com/_/status/1339559387220893696)
jeremycherfas, [Murray], [Ana_Rodrigues], [jgmac1106], hirusi, geoffo, schmudde, jolvera, [chrisaldrich], [tw2113_Slack_], [snarfed], sp1ff, gxt, swentel, KartikPrabhu, nickodd, [pfefferle], shoesNsocks, shoesNsocks1 and [chrisaldrich]1 joined the channel; nickodd left the channel
# 20:16 
[snarfed] hey aaronpk did you think much about how to secure your OYG browser extension? i’m struggling with that for bridgy’s
# 20:16 
[snarfed] maybe doesn’t matter for you if yous is self-contained. bridgy’s won’t be, though, and i haven’t yet figured out how to prevent people from going under the covers and fabricating arbitrary responses
# 20:17 
[snarfed] wondering if i can reuse ideas from PKCE, but not sure how yet
[schmarty] joined the channel
# 20:45 
[snarfed] specifically, if the browser extension just fetches from IG and passes the fetched HTML/JSON on to Bridgy, the attack is to forge that IG HTML/JSON and send it directly to Bridgy
# 20:46 
[snarfed] i thought about trust on first use, ie give the client a token when they first send an IG profile to create a Bridgy account, but that’s just as easily forged
# 20:47 
[snarfed] the only reasonable defense i’ve come up with is to IndieAuth the user, check for bidirectional rel-me on IG, and then include the IndieAuth token in every request. ugh
# 21:01 
aaronpk oh huh, yeah i don't have that problem on mine because the user has to indieauth first anyway in order for the extension to be able to send the micropub request
# 21:04 
[snarfed] ok, so you don’t really care about validating the contents since they can only post to their own site
# 21:05 
[snarfed] sigh ok. lmk if you have any thoughts
# 21:11 
aaronpk yeah the worst someone can do is make the extension send stuff to their own website in my case
# 21:12 
aaronpk in your case I'd expect something similar, where the worst they could do is make bridgy send a webmention to their own site, but not to other sites
# 21:12 
[snarfed] ideally yes
# 21:12 
aaronpk do you make them sign in with anything on bridgy to set it up?
# 21:12 
[snarfed] technically bridgy already has a u-url that’s off domain, so the spoofing threat is no greater than spoofing directly on their own server, but in practice i think a bunch of people semi special case bridgy
# 21:12 
[snarfed] not yet, still deep in development. was hoping to avoid it, but based on this, i’ll probably have to
# 21:13 
aaronpk i guess even aside from the extension details, you'd probably want to avoid someone being able to set up webmentions for someone else's instagram account to arbitrary websites
# 21:15 
[snarfed] maybe. all of this “spoofing” via u-url is doable now independent of bridgy, but bridgy should hold higher standard due to its reputation
# 21:16 
aaronpk sorta, i think it's more about making sure bridgy can't be used to attack arbitrary websites
[tantek] joined the channel
# 21:17 
[snarfed] right, due to its current level of trust. since if the “attack” is just fabricating arbitrary responses with external u-urls on instagram.com, anyone can do that directly, without bridgy
[Rose], [KevinMarks], shoesNsocks, schmudde, [tw2113_Slack_] and [Raphael_Luckom] joined the channel
# 23:15 
@kkd WebmentionやMicropubに対応するWikiがほしい。Scrapbox対応してくれないだろうか？FedWikiにそういうプラグインつくってみようかな。。。その前にFedWikiちゃんと使わないといけないけど。 #indieweb (twitter.com/_/status/1339709822682472448)
[chrisaldrich] joined the channel