#dev 2021-07-28

2021-07-28 UTC
lasr[m] joined the channel
# 01:58 
Ruxton aaronpk: I dont get window._sharedData  in my page.. but i see that's a recent change?
# 02:00 
Ruxton aaronpk: a recent change in your code that is.. I tried to build it around window.__initialData, but regardless the photo embed in the popup doesnt load in chrome due to cross-site and the micropub post doesnt work for same reason
# 02:05 
aaronpk let me see if there are some changes not checked in
# 02:06 
aaronpk it's still pulling the IG data for me. the image doesn't display but that's because instagram set CORS headers to block hotlinking. the URL still works tho and the micropub endpoint can download it
# 02:06 
aaronpk hm no it's all pushed up to github
# 02:07 
aaronpk make sure you visit an IG photo permalink, and reload the page when you're on the permalink. it probably won't work if the image is in that modal popup or if you've navigated around their SPA a while
# 02:08 
aaronpk that reminds me, i hadn't posted my last IG photo to my site yet, so that is done now
# 02:09 
aaronpk i'm on an instagram photo and I do see data in `window._sharedData` in the browser console too
# 02:16 
Ruxton sorry aaronpk, sharedData exists but PostPage is emty ;) https://imgur.com/a/W8saW1z
# 02:17 
aaronpk yeah try reloading on a permalink instead of navigating to one
# 02:18 
Ruxton yeah thats what i did
# 02:19 
aaronpk i wonder if you're getting a different version of the IG app than I am getting...
# 02:19 
aaronpk that variable exists for me when i visit a photo page
# 02:20 
Ruxton yeah I was thinking that when I saw your code change to use sharedData
# 02:20 
aaronpk https://i.imgur.com/Vt4KFjq.jpg
# 02:20 
aaronpk if that's the case then there is no hope for this
# 02:30 
Ruxton I got some ideas and am working on it
# 02:31 
aaronpk 👍
SamWilson[m], Seirdy and capjamesg joined the channel
# 08:44 
Murray[d] !tell Ruxton - just a thought, but it seems like some people have the ability to upload to Instagram atm. Based on the screenshot, aaronpk does not. I'm guessing Insta are experimenting with a new desktop interface (with uploads etc. enabled) so if you have that option it could be why things are different
# 08:44 
Loqi Ok, I'll tell them that when I see them next
# 08:45 
Ruxton nods cheers Murray[d] 
# 08:45 
Loqi Ruxton: Murray[d] left you a message 1 minute ago: - just a thought, but it seems like some people have the ability to upload to Instagram atm. Based on the screenshot, aaronpk does not. I'm guessing Insta are experimenting with a new desktop interface (with uploads etc. enabled) so if you have that option it could be why things are different
# 08:54 
Zegnat Ah, yeah, I have the "New Post" button in my desktop instagram
# 08:54 
Zegnat Have not tested it as of yet
# 11:00 
@GirelliGabriele Ever heard of #webmentions? I am trying to set them up on my Jekyll-based GitHub-hosted blog. #comingsoon
https://ggirelli.info/blog/2021/07/12/new-skin (twitter.com/_/status/1420338133997178880)
[Rose] joined the channel
# 11:35 
@GirelliGabriele Ever heard of #webmentions? I am trying to set them up on my #Jekyll-based #GitHub-hosted blog. #COMINGSOON 
https://ggirelli.info/blog/2021/07/28/webmentions (twitter.com/_/status/1420346923463151623)
# 12:00 
@GG91825661 ↩️ Webmention reply test :3 (twitter.com/_/status/1420352309964455938)
# 12:05 
@derhess ↩️ For this requirement checkout @indiewebcamp #webmention (https://indieweb.org/Webmention) implementations or #fediverse #ActivityPub protocol https://activitypub.rocks/ (twitter.com/_/status/1420354255513395204)
shoesNsocks1 and capjamesg joined the channel
# 14:55 
@petergoes ↩️ Site header and code examples:

https://www.petergoes.nl/blog/review-webmentions-before-publishing-with-github-actions/ (twitter.com/_/status/1420396597058449408)
# 15:06 
GWG Anyone up to any interesting dev stuff?
# 15:07 
sknebel not indieweb-related sadly :D
# 15:13 
GWG sknebel: My dreams exceed the time I have
# 15:14 
sknebel GWG: very much that
# 15:15 
vikanezrimaya <GWG "Anyone up to any interesting dev"> is fixing bugs considered interesting?
# 15:15 
GWG vikanezrimaya: It can be.
# 15:15 
GWG It depends on the bug
# 15:15 
vikanezrimaya it's more of a bug inside my brain but
# 15:16 
vikanezrimaya Kittybox reacts in an interesting way when I do `curl -d@-` with JSON and forget to set a content-type
# 15:16 
vikanezrimaya it completely ignores the JSON and sets it as a property name apparently, because curl defaults to doing form-encoded
# 15:17 
vikanezrimaya sometimes it's very funny to debug, especially when I'm rushing to fix a mistake I made when posting something with manually-crafted edit requests
# 15:17 
vikanezrimaya and I do a lot of manual posting with Micropub, so I've learned all the commands by heart and I could probably write a valid Micropub request with my eyes closed
# 15:18 
vikanezrimaya and I just often forget to send a content-type header
# 15:24 
GWG vikanezrimaya: If you can now do more...
# 15:24 
vikanezrimaya ?
# 15:24 
vikanezrimaya is that an english idiom or something?
# 15:24 
vikanezrimaya my brain is confused
# 15:25 
vikanezrimaya sorry
hendursaga joined the channel
# 15:28 
vikanezrimaya I think I need to make a tool which will help me with posting proper Micropub requests
# 15:28 
vikanezrimaya hmmmmm yeah I definitely need to do that
# 15:28 
vikanezrimaya something that could help me craft Micropub requests, for example, posting notes or replies
# 15:29 
vikanezrimaya or allow me to just dump a JSON file in there and properly send it
# 15:29 
vikanezrimaya I should also make it open-source
# 15:34 
GWG vikanezrimaya: If it makes your website better.
oodani and capjamesg joined the channel
# 17:02 
Rattroupe Does anyone have strong opinions on remember-me session tokens (for IndieAuth)?
# 17:03 
Rattroupe I added that to my own IndieAuth implementation but I'm having second thoughts
# 17:04 
Rattroupe More details here: https://blog.reiterate.app/software/2021/07/27/authorio-0-8-2-released/
# 17:14 
[snarfed] Rattroupe: the security concerns seem broadly similar to any consumer level SSO, eg “log in with google” etc. doesn’t seem much more dangerous or different
# 17:15 
[snarfed] (probably actually much *less* dangerous in practice, since there are so few IndieAuth-enabled services, especially that you have any sensitive data in)
# 17:15 
[snarfed] and also the threat model of an attacker with physical access to your laptop is pretty narrow. remote online attacks are the norm, physical device access is the rare exception
cadeyrn[d] joined the channel
# 17:35 
Rattroupe I am not a Security Expert so working with things like authentication makes me a little nervous
# 17:44 
[snarfed] good instinct! that’s the right way to feel. generally the answer is to not roll your own, at least for anything important
# 17:44 
[snarfed] learning by building things is useful too though! you can mitigate the risk by limiting what you put into anything IndieAuth-accessible. a step farther would be to only use your auth lib on a test or secondary site, instead of your main one
# 17:58 
vikanezrimaya <Rattroupe "Does anyone have strong opinions"> in my last production-grade IndieAuth setup I combined the password entry and the scope disclosure screen so that the user will **think** before they blindly accept the consequences
# 17:59 
vikanezrimaya I'd suggest keeping a list of apps that the user has already used at least ones (save redirect URIs maybe?) and requiring some form of authentication if an unknown app is trying to authenticate
KartikPrabhu joined the channel
# 18:00 
Rattroupe The authentication isn't completely automatic. Even if you have "Remember me" on, that only allows you to skip typing your password. You still have to click the "Sign in" button
# 18:01 
vikanezrimaya I know. But it's too easy to just blindly click "sign in"
# 18:01 
vikanezrimaya The password entry protects from that by encouraging the user to look over the scope list another time while their hands are clicking all over the keyboard
# 18:02 
vikanezrimaya in retrospect that was a good thing for me even though there aren't any malicious sites on IndieWeb
# 18:02 
Rattroupe So you recommend disabling remember-me on a per-site basis?
# 18:02 
vikanezrimaya Yes
# 18:02 
vikanezrimaya (maybe I should fix the lack of malice on IndieWeb, just as a proof-of-concept)
# 18:03 
Rattroupe That's an interesting suggestion. I'll put it on my todo list
# 18:03 
vikanezrimaya try some social engineering in a controlled environment, maybe trying to, let's say, present fake h-app to an authorization endpoint to trick the user into authenticating - it could've worked with one of my IndieAuth endpoint drafts...
# 18:04 
vikanezrimaya and then present it to the IndieWeb community as a public challenge, to design a UX that would prevent or make some of these attacks harder
justache joined the channel
# 18:50 
[schmarty] providing working proof-of-concepts for security issues and working with developers to fix them doesn't sound like malice.
# 18:51 
vikanezrimaya it's simulated malice
# 18:51 
vikanezrimaya simulating malicious entities for the greater good of the community
# 18:51 
vikanezrimaya pretending to be a villain!
# 18:51 
vikanezrimaya it's fun to think of it that way
# 18:52 
[schmarty] i disagree strongly with the sentiment that the indieweb community needs "desire to cause pain, injury, or distress to another"
# 18:53 
vikanezrimaya it needs to protect itself from it tho
# 18:53 
vikanezrimaya know thy enemy and all of that
# 18:55 
[schmarty] rather than reinforcing us-vs-them dynamics, i think working to uncover unintended behavior and help fix it should be approached from a harm-reduction standpoint.
# 18:55 
vikanezrimaya yeah
# 18:56 
[schmarty] ie - focus on the behavior and how to prevent it rather than ascribing feelings and intent to real-or-imagined adversaries
# 18:57 
vikanezrimaya then it could be titled as a test-suite of potential security holes or unexpected behavior resulting from unintended behaviors or spec deviations
# 18:58 
vikanezrimaya the usefulness stays the same anyway no matter how it's named
# 18:59 
[schmarty] 💯
# 19:00 
vikanezrimaya I imagine the UX being similar to, e.g. webmention.rocks - a collection of separate pages describing a flaw, an interactive test suite that can uncover the flaw and a list of suggestions to help mitigate it
# 19:01 
vikanezrimaya  * I imagine the UX being similar to, e.g. webmention.rocks - a collection of separate pages with each describing a flaw, an interactive test suite that can uncover the flaw and a list of suggestions to help mitigate it
# 19:05 
aaronpk that has been my plan for indieauth.rocks but i just haven't got around to building it yet
# 19:05 
aaronpk also providing different variations of things that are all valid
# 19:06 
aaronpk (e.g. all the redirect variations)
# 19:06 
aaronpk (although those became less important with one of the recent spec changes!)
KartikPrabhu joined the channel
# 20:12 
[snarfed] agreed, *.rocks are focused on spec compliance, but still useful examples. https://github.com/kbsriram/checkmention is a similar security-specific test suite for webmention
# 20:14 
aaronpk I'm also not opposed to putting some more features in the .rocks projects to test things other than spec compliance, that was just how they started because of the W3C process
# 20:16 
vikanezrimaya definitely consider putting something like an app pretending to be something else with h-app - because that might actually be dangerous
# 20:16 
vikanezrimaya an endpoint should never trust what an app says about itself besides the redirect URI
# 20:17 
vikanezrimaya i'd consider showing the redirect URI next to the "Allow" button
# 20:17 
vikanezrimaya this would obviously be a user-checked manual test
# 20:17 
vikanezrimaya but I think the endpoint should present an app's identity in an unambiguous way
# 20:17 
vikanezrimaya (did I write that word correctly?)
[fluffy] joined the channel
# 20:27 
[snarfed] h-app vs redirect URI spoofing seems similar to webmention source URL vs u-url spoofing, which we’ve thought through a fair amount
# 20:27 
[snarfed] both h-app and u-url have value, so we want to be able to use them, but not as trust anchors
# 20:27 
aaronpk Good analogy
# 20:27 
vikanezrimaya Yeah, I'm worried that the same is possible with IndieAuth
# 20:29 
aaronpk I thought the spec mentioned that but now I'm not finding it
# 20:29 
vikanezrimaya oops
# 20:29 
vikanezrimaya well, h-app is an unofficial extension, isn't it?
# 20:29 
vikanezrimaya makes sense it wouldn't be in the spec
# 20:30 
vikanezrimaya either way, any website could present a confusing h-app markup when being authenticated for with IndieAuth and therefore confuse the user into doing something unintended
# 20:30 
[snarfed] vikanezrimaya the good news is we have a decent consensus on how to avoid and/or handle u-url vs source url, and that probably applies to h-app vs redirect uri too
# 20:30 
vikanezrimaya yay
# 20:30 
Loqi does a happy dance!
# 20:30 
[snarfed] (haven’t found a decent writeup of that consensus on the wiki yet though)
# 20:32 
[snarfed] basically, use the human-friendly data, but also always show the trust anchor (ie redirect URI domain, source url domain) in a way that clearly indicates it is the trust anchor
# 20:32 
vikanezrimaya that's exactly what I wanted to suggest to mitigate the issue
# 20:32 
[snarfed] SSL cert display (including Common Name, etc) in browsers is probably a similar set of UX examples
# 20:32 
vikanezrimaya it's a good thing that this idea is already floating around
# 20:59 
[KevinMarks] hm aperture seems to be timing out trying to find tanteks feed
[tantek] joined the channel