#dev 2021-07-28

2021-07-28 UTC
lasr[m] joined the channel
#
Ruxton
aaronpk: I dont get window._sharedData in my page.. but i see that's a recent change?
#
Ruxton
aaronpk: a recent change in your code that is.. I tried to build it around window.__initialData, but regardless the photo embed in the popup doesnt load in chrome due to cross-site and the micropub post doesnt work for same reason
#
aaronpk
let me see if there are some changes not checked in
#
aaronpk
it's still pulling the IG data for me. the image doesn't display but that's because instagram set CORS headers to block hotlinking. the URL still works tho and the micropub endpoint can download it
#
aaronpk
hm no it's all pushed up to github
#
aaronpk
make sure you visit an IG photo permalink, and reload the page when you're on the permalink. it probably won't work if the image is in that modal popup or if you've navigated around their SPA a while
#
aaronpk
that reminds me, i hadn't posted my last IG photo to my site yet, so that is done now
#
aaronpk
i'm on an instagram photo and I do see data in `window._sharedData` in the browser console too
#
Ruxton
sorry aaronpk, sharedData exists but PostPage is emty ;) https://imgur.com/a/W8saW1z
#
aaronpk
yeah try reloading on a permalink instead of navigating to one
#
Ruxton
yeah thats what i did
#
aaronpk
i wonder if you're getting a different version of the IG app than I am getting...
#
aaronpk
that variable exists for me when i visit a photo page
#
Ruxton
yeah I was thinking that when I saw your code change to use sharedData
#
aaronpk
if that's the case then there is no hope for this
#
Ruxton
I got some ideas and am working on it
SamWilson[m], Seirdy and capjamesg joined the channel
#
Murray[d]
!tell Ruxton - just a thought, but it seems like some people have the ability to upload to Instagram atm. Based on the screenshot, aaronpk does not. I'm guessing Insta are experimenting with a new desktop interface (with uploads etc. enabled) so if you have that option it could be why things are different
#
Loqi
Ok, I'll tell them that when I see them next
#
Ruxton
nods cheers Murray[d]
#
Loqi
Ruxton: Murray[d] left you a message 1 minute ago: - just a thought, but it seems like some people have the ability to upload to Instagram atm. Based on the screenshot, aaronpk does not. I'm guessing Insta are experimenting with a new desktop interface (with uploads etc. enabled) so if you have that option it could be why things are different
#
Zegnat
Ah, yeah, I have the "New Post" button in my desktop instagram
#
Zegnat
Have not tested it as of yet
#
@GirelliGabriele
Ever heard of #webmentions? I am trying to set them up on my Jekyll-based GitHub-hosted blog. #comingsoon https://ggirelli.info/blog/2021/07/12/new-skin
(twitter.com/_/status/1420338133997178880)
[Rose] joined the channel
#
@GirelliGabriele
Ever heard of #webmentions? I am trying to set them up on my #Jekyll-based #GitHub-hosted blog. #COMINGSOON https://ggirelli.info/blog/2021/07/28/webmentions
(twitter.com/_/status/1420346923463151623)
#
@derhess
↩️ For this requirement checkout @indiewebcamp #webmention (https://indieweb.org/Webmention) implementations or #fediverse #ActivityPub protocol https://activitypub.rocks/
(twitter.com/_/status/1420354255513395204)
shoesNsocks1 and capjamesg joined the channel
#
GWG
Anyone up to any interesting dev stuff?
#
sknebel
not indieweb-related sadly :D
#
GWG
sknebel: My dreams exceed the time I have
#
sknebel
GWG: very much that
#
vikanezrimaya
<GWG "Anyone up to any interesting dev"> is fixing bugs considered interesting?
#
GWG
vikanezrimaya: It can be.
#
GWG
It depends on the bug
#
vikanezrimaya
it's more of a bug inside my brain but
#
vikanezrimaya
Kittybox reacts in an interesting way when I do `curl -d@-` with JSON and forget to set a content-type
#
vikanezrimaya
it completely ignores the JSON and sets it as a property name apparently, because curl defaults to doing form-encoded
#
vikanezrimaya
sometimes it's very funny to debug, especially when I'm rushing to fix a mistake I made when posting something with manually-crafted edit requests
#
vikanezrimaya
and I do a lot of manual posting with Micropub, so I've learned all the commands by heart and I could probably write a valid Micropub request with my eyes closed
#
vikanezrimaya
and I just often forget to send a content-type header
#
GWG
vikanezrimaya: If you can now do more...
#
vikanezrimaya
is that an english idiom or something?
#
vikanezrimaya
my brain is confused
hendursaga joined the channel
#
vikanezrimaya
I think I need to make a tool which will help me with posting proper Micropub requests
#
vikanezrimaya
hmmmmm yeah I definitely need to do that
#
vikanezrimaya
something that could help me craft Micropub requests, for example, posting notes or replies
#
vikanezrimaya
or allow me to just dump a JSON file in there and properly send it
#
vikanezrimaya
I should also make it open-source
#
GWG
vikanezrimaya: If it makes your website better.
oodani and capjamesg joined the channel
#
Rattroupe
Does anyone have strong opinions on remember-me session tokens (for IndieAuth)?
#
Rattroupe
I added that to my own IndieAuth implementation but I'm having second thoughts
#
[snarfed]
Rattroupe: the security concerns seem broadly similar to any consumer level SSO, eg “log in with google” etc. doesn’t seem much more dangerous or different
#
[snarfed]
(probably actually much *less* dangerous in practice, since there are so few IndieAuth-enabled services, especially that you have any sensitive data in)
#
[snarfed]
and also the threat model of an attacker with physical access to your laptop is pretty narrow. remote online attacks are the norm, physical device access is the rare exception
cadeyrn[d] joined the channel
#
Rattroupe
I am not a Security Expert so working with things like authentication makes me a little nervous
#
[snarfed]
good instinct! that’s the right way to feel. generally the answer is to not roll your own, at least for anything important
#
[snarfed]
learning by building things is useful too though! you can mitigate the risk by limiting what you put into anything IndieAuth-accessible. a step farther would be to only use your auth lib on a test or secondary site, instead of your main one
#
vikanezrimaya
<Rattroupe "Does anyone have strong opinions"> in my last production-grade IndieAuth setup I combined the password entry and the scope disclosure screen so that the user will **think** before they blindly accept the consequences
#
vikanezrimaya
I'd suggest keeping a list of apps that the user has already used at least ones (save redirect URIs maybe?) and requiring some form of authentication if an unknown app is trying to authenticate
KartikPrabhu joined the channel
#
Rattroupe
The authentication isn't completely automatic. Even if you have "Remember me" on, that only allows you to skip typing your password. You still have to click the "Sign in" button
#
vikanezrimaya
I know. But it's too easy to just blindly click "sign in"
#
vikanezrimaya
The password entry protects from that by encouraging the user to look over the scope list another time while their hands are clicking all over the keyboard
#
vikanezrimaya
in retrospect that was a good thing for me even though there aren't any malicious sites on IndieWeb
#
Rattroupe
So you recommend disabling remember-me on a per-site basis?
#
vikanezrimaya
(maybe I should fix the lack of malice on IndieWeb, just as a proof-of-concept)
#
Rattroupe
That's an interesting suggestion. I'll put it on my todo list
#
vikanezrimaya
try some social engineering in a controlled environment, maybe trying to, let's say, present fake h-app to an authorization endpoint to trick the user into authenticating - it could've worked with one of my IndieAuth endpoint drafts...
#
vikanezrimaya
and then present it to the IndieWeb community as a public challenge, to design a UX that would prevent or make some of these attacks harder
justache joined the channel
#
[schmarty]
providing working proof-of-concepts for security issues and working with developers to fix them doesn't sound like malice.
#
vikanezrimaya
it's simulated malice
#
vikanezrimaya
simulating malicious entities for the greater good of the community
#
vikanezrimaya
pretending to be a villain!
#
vikanezrimaya
it's fun to think of it that way
#
[schmarty]
i disagree strongly with the sentiment that the indieweb community needs "desire to cause pain, injury, or distress to another"
#
vikanezrimaya
it needs to protect itself from it tho
#
vikanezrimaya
know thy enemy and all of that
#
[schmarty]
rather than reinforcing us-vs-them dynamics, i think working to uncover unintended behavior and help fix it should be approached from a harm-reduction standpoint.
#
[schmarty]
ie - focus on the behavior and how to prevent it rather than ascribing feelings and intent to real-or-imagined adversaries
#
vikanezrimaya
then it could be titled as a test-suite of potential security holes or unexpected behavior resulting from unintended behaviors or spec deviations
#
vikanezrimaya
the usefulness stays the same anyway no matter how it's named
#
vikanezrimaya
I imagine the UX being similar to, e.g. webmention.rocks - a collection of separate pages describing a flaw, an interactive test suite that can uncover the flaw and a list of suggestions to help mitigate it
#
vikanezrimaya
* I imagine the UX being similar to, e.g. webmention.rocks - a collection of separate pages with each describing a flaw, an interactive test suite that can uncover the flaw and a list of suggestions to help mitigate it
#
aaronpk
that has been my plan for indieauth.rocks but i just haven't got around to building it yet
#
aaronpk
also providing different variations of things that are all valid
#
aaronpk
(e.g. all the redirect variations)
#
aaronpk
(although those became less important with one of the recent spec changes!)
KartikPrabhu joined the channel
#
[snarfed]
agreed, *.rocks are focused on spec compliance, but still useful examples. https://github.com/kbsriram/checkmention is a similar security-specific test suite for webmention
#
aaronpk
I'm also not opposed to putting some more features in the .rocks projects to test things other than spec compliance, that was just how they started because of the W3C process
#
vikanezrimaya
definitely consider putting something like an app pretending to be something else with h-app - because that might actually be dangerous
#
vikanezrimaya
an endpoint should never trust what an app says about itself besides the redirect URI
#
vikanezrimaya
i'd consider showing the redirect URI next to the "Allow" button
#
vikanezrimaya
this would obviously be a user-checked manual test
#
vikanezrimaya
but I think the endpoint should present an app's identity in an unambiguous way
#
vikanezrimaya
(did I write that word correctly?)
[fluffy] joined the channel
#
[snarfed]
h-app vs redirect URI spoofing seems similar to webmention source URL vs u-url spoofing, which we’ve thought through a fair amount
#
[snarfed]
both h-app and u-url have value, so we want to be able to use them, but not as trust anchors
#
aaronpk
Good analogy
#
vikanezrimaya
Yeah, I'm worried that the same is possible with IndieAuth
#
aaronpk
I thought the spec mentioned that but now I'm not finding it
#
vikanezrimaya
well, h-app is an unofficial extension, isn't it?
#
vikanezrimaya
makes sense it wouldn't be in the spec
#
vikanezrimaya
either way, any website could present a confusing h-app markup when being authenticated for with IndieAuth and therefore confuse the user into doing something unintended
#
[snarfed]
vikanezrimaya the good news is we have a decent consensus on how to avoid and/or handle u-url vs source url, and that probably applies to h-app vs redirect uri too
#
Loqi
does a happy dance!
#
[snarfed]
(haven’t found a decent writeup of that consensus on the wiki yet though)
#
[snarfed]
basically, use the human-friendly data, but also always show the trust anchor (ie redirect URI domain, source url domain) in a way that clearly indicates it is the trust anchor
#
vikanezrimaya
that's exactly what I wanted to suggest to mitigate the issue
#
[snarfed]
SSL cert display (including Common Name, etc) in browsers is probably a similar set of UX examples
#
vikanezrimaya
it's a good thing that this idea is already floating around
#
[KevinMarks]
hm aperture seems to be timing out trying to find tanteks feed
[tantek] joined the channel