#dev 2022-01-19

2022-01-19 UTC
jacky and Matt[m] joined the channel
# 00:22 
[tantek] I mean sure I have a separate favico.ico thing too but very little uses it
# 00:23 
[tantek] legacy only
# 00:23 
aaronpk i don't think i would call browsers legacy just yet :P
JBritSteele joined the channel
# 00:38 
[tantek] hah
# 00:51 
[snarfed] ^ all the different avatar/icon options are fun, but it's worth emphasizing that browsers and webmention receivers each have their own rules (algorithms) for finding the favicon/profile picture that they should display for a given site/author, right? https://en.wikipedia.org/wiki/Favicon#Standardization and https://microformats.org/wiki/representative-h-card-parsing , respectively
# 00:52 
[snarfed] (compliance is always imperfect, but still)
KartikPrabhu, KartikPrabhu1, Seirdy, jacky, jessealama and [tonz] joined the channel
# 06:28 
[tonz] I’m writing a small personal micropub client in php. I use it to post to my WordPress Micropub endpoint, to create entries. I send posts to the end point as form-urlencoded. Things go fine unless the html content contains an SVG statement. Whenever an SVG statement is in the submitted HTML for the h-entry, the end point returns a 403 error. Is there something in the Micropub spec that explains this? Any top of head suggestions for
# 06:28 
[tonz] things to check / look into? I’ll ask in #indieweb-wordpress about the micropub plugin specific things that might play a role.
# 06:29 
GWG [tonz]: WordPress might be forbidding it due it's restrictions on side loading svga
# 06:29 
GWG SVG files
# 06:29 
GWG I've never tested that
# 06:30 
GWG If you could open an issue with the HTML... I'll experiment
# 06:56 
Ruxton the filetype checker is broken, there's a super old request to fix it in core
# 06:57 
Ruxton i poked the contributor working on it and he updated the patch a few months ago but it's not getting pulled in
# 06:57 
Ruxton https://core.trac.wordpress.org/ticket/30377
# 06:58 
Ruxton https://core.trac.wordpress.org/ticket/54244
# 06:59 
Ruxton if i remember correctly, this happened for me mostly when using the media upload endpoint
# 07:00 
Ruxton i went tore through the micrpub plugin trying to find the issue only to find it was in core and known about for SEVEN YEARS
# 07:01 
Ruxton i think it just needs someone to review it so it can go into core :(
jessealama joined the channel
# 07:50 
[tonz] @GWG I’m not loading an SVG _file,_ there is a <SVG></SVG> statement in the html POSTed e.g. “This is some text <SVG></SVG> this is more text” fails (with or without the path info etc). In fact the mere presence of “<SVG” somewhere in the html makes it fail.
# 08:04 
[tonz] added an issue to be sure. https://github.com/indieweb/wordpress-micropub/issues/272
# 08:06 
Ruxton ohhh
# 08:53 
Ruxton super odd, [tonz] i can't recreate that :/
# 08:53 
Ruxton I just tested a few variations of it and they all went in :/
# 08:59 
[tonz] can I mail you my script. Maybe it is in the way I build up the call to the endpoint? Or post it somewhere?
typ1cal_c0ffxe3 joined the channel
# 09:44 
[tonz] Added the php code used to the issue
# 11:00 
@CodeFoodPixels ↩️ It's all done with webmentions! I wrote a post about that here:

https://lukeb.co.uk/blog/2021/03/15/no-comment-adding-webmentions-to-my-site/ (twitter.com/_/status/1483755546553593857)
Tommy1, tetov-irc, jacky and Loqi joined the channel
# 14:17 
jacky once I figure out this date-based cursor pagination thing, I'm def writing a post
# 14:17 
jacky I know this is a common-ish thing
# 14:20 
[KevinMarks]1 yes, it's one of those tricky edge case things always
Guest6 joined the channel
# 14:37 
[KevinMarks]1 it's a similar case to etag/LastModified in that you want to be handing the server a token that identifies the boundary you last saw rather than an offset into the list, so it can handle the case when the list has changed
# 14:43 
[KevinMarks]1 trickier when the sort order isn't date though.
# 14:43 
capjamesg[d] jacky I really struggled with date-based cursor pagination. I resorted to using DB IDs instead. They probably shouldn't be autoincremented but oh well since I'm just building for me right now.
Seb[d] and KartikPrabhu joined the channel
# 15:22 
Zegnat capjamesg[d]: what is wrong with auto-incrementing IDs? As long as you either a/ do not make it possible to load data using those IDs, or b/ only have publicly accessible content so you do not care about enumeration attacks, those seem perfectly fine to me?
# 15:30 
[aciccarello] capjamesg[d] Nice article on setting up the PWA metadata. Now you just need to get a service worker setup with a share target 😁
# 15:30 
[aciccarello] https://web.dev/web-share-target/
# 15:33 
[aciccarello] I guess you don't even need a service worker for share target.
# 15:33 
capjamesg[d] The web share targets confuse me. What do they allow me to do?
# 15:35 
capjamesg[d] Oh I see.
# 15:35 
capjamesg[d] I wonder if it works on Firefox iOS.
# 15:36 
petermolnar what is webactions?
# 15:36 
Loqi A web action is the interface and user experience of taking a specific discrete action, across the web, from one site to another site or application https://indieweb.org/webactions
P1000[d] joined the channel
# 16:31 
aaronpk the web push api was way easier to deal with than i expected
# 16:32 
aaronpk i think i was confusing it with the older non-standard versions which required getting API keys from google and such
# 17:17 
aaronpk also i just realized the real reason all these sites are adding notifications... when the site registers for notifications it returns essentially a unique identifier for that browser, and it's the same identifier if the user returns later
# 17:17 
aaronpk which basically means it's the ultimate tracking cookie without using cookies
# 17:18 
[tantek]1 uh really? that seems worth posting something about if that's true. has someone done that analysis / testing?
# 17:18 
[tantek]1 e.g. does it cross private-browsing barriers?
# 17:18 
aaronpk chrome disables notifications in incognito mode
# 17:20 
aaronpk it's also unique to the site, so it's not like you can correlate users between different websites
# 17:20 
aaronpk but it's basically a persistent identifier for a browser-and-website pair that doesn't require storing cookies
# 17:20 
[aciccarello] Does it generate that even without the user allowing notifications?
# 17:21 
aaronpk no of course not
# 17:24 
[aciccarello] Oh, okay. I assumed it was always just for increasing traffic. Either way it's annoying how it's abused.
# 17:25 
aaronpk yeah me too. but then once i saw this it makes much more sense
# 17:30 
[tantek]1 uh aaronpk re: "it's also unique to the site, so it's not like you can correlate users between different websites" that's not how "different websites" get around that. 1 - there are domains owned by the same entity that share info on the backend. 2 - there is adtech that asks domains to provide identifiers that they can then correlate on the backend.
# 17:32 
aaronpk i mean by itself
# 17:33 
aaronpk now i am curious what happens if one domain iframes in a notification request from another domain
# 17:49 
aaronpk lol welp, you can definitely rig that up
# 17:50 
aaronpk adtech co runs a browser notification service, gets customers to include some code on their site to request notifications, adtech co can correlate users across all their customers domains
# 17:53 
[tantek]1 uh that's worth at least a brief blog post
# 17:55 
[snarfed] I'd be curious to see numbers on notification opt in. obviously a bigger deal if it's eg ~50% vs ~5%
# 17:57 
aaronpk thankfully there's lots of stats on that cause it's big business :)
# 17:57 
[snarfed] I figured. useful!
# 17:58 
[snarfed] I also wonder how it changes if the domain in the prompt isn't the site you're on, ie it's the shared ad tech domain. maybe not much if "users don't read," but still, curious
# 17:58 
aaronpk some quick searching is turning up numbers like 10-12%
sp1ff joined the channel
# 17:59 
[snarfed] yup, so not a silver bullet third party cookie substitute, but definitely could be one more fingerprinting tool in the toolbox
# 17:59 
aaronpk oh interesting, one minor detail
# 17:59 
[snarfed] (if the domain thing doesn't reduce those numbers too much, which it very well may)
# 18:00 
aaronpk i don't get the prompt unless i visit the actual domain that's requesting the permission
# 18:00 
aaronpk but if i've already granted permission, then the re-registration works from when it's in an iframe
# 18:01 
aaronpk so that basically kills that idea
# 18:01 
[snarfed] yup. good find
JBritSteele joined the channel
# 18:10 
[tantek]1 right, that makes sense. iframes can't request notifications
# 18:10 
aaronpk yeah it's weird tho because the same code that shows the notification request *can* run in the iframe, it just results in a failure unless you've already accepted permission
# 18:12 
sknebel do you need to run the register code? cant you query the state of the existing subscription?
# 18:13 
aaronpk yeah looks like there is a method to check the status https://developer.mozilla.org/en-US/docs/Web/API/PushManager#methods
# 18:14 
sknebel and the "runs but fails" kind of makes sense, thats the usual design around those. you can try and get told "no" if the prompt can't be made for whatever reason
# 18:19 
[tantek]1 exactly
JBritSteele and jacky joined the channel
# 20:29 
capjamesg[d] What is a service worker?
# 20:29 
Loqi service workers are scripts that run in the background, separate from tabs with the site open, and are commonly used for offline functionality and push notifications https://indieweb.org/service_worker
# 20:29 
capjamesg[d] What would an offline feed reader look like?
# 20:30 
capjamesg[d] The reader would have to save any interactions you want to make and then send them when you connect to the internet.
# 20:30 
aaronpk seems reasonable
# 20:30 
capjamesg[d] And maybe make your feed and notification pages accessible. But only your first 20 entries or so.
# 20:31 
capjamesg[d] And maybe allow for posting but those changes will be synced when you connect to the internet.
# 20:31 
capjamesg[d] I don’t know much about service workers so I think I have quite the learning journey ahead.
# 20:32 
capjamesg[d] How does Quill do it aaronpk?
# 20:32 
aaronpk good question
# 20:32 
aaronpk i think i made that when i was first learning about service workers
# 20:32 
aaronpk IIRC the editor page is entirely cached and usable offline. but the post button doesn't do anything unless you're online
# 20:33 
aaronpk and it only supports one active draft, so it's not a full featured offline editor
# 21:00 
[tantek]1 capjamesg[d], offline feed reader? you mean like nearly every podcast listening app?
maxwelljoslyn[d] joined the channel
# 21:14 
capjamesg[d] [tantek] Very true!
# 21:15 
capjamesg[d] I’m thinking about this from a Microsub perspective though.
# 21:15 
[tantek]1 not sure why people treat audio and text consumption differently in terms of offline
# 21:15 
capjamesg[d] So I would need to support saving posts locally.
# 21:15 
aaronpk also presumably thinking about this from more than just the consumption side
# 21:15 
capjamesg[d] Yes. I understand the consumption side.
# 21:17 
[tantek]1 from the user experience side yes
# 21:17 
[tantek]1 people seem to "get" that their audio should be available offline but are willing to tolerate latency, delays, network foo to read text?
# 21:18 
capjamesg[d] I have never used a service worker before so I’m trying to piece together the best first steps in my mind.
# 21:18 
capjamesg[d] I think I’ll try and serve a page a user has visited from cache first and then figure out the rest once I have done that.
# 21:19 
capjamesg[d] It looks like adactio has written a book on service workers too!
# 21:20 
capjamesg[d] https://cdn.discordapp.com/attachments/866577430886350869/933470884973412443/IMG_2606.png
# 21:20 
capjamesg[d] [tantek] by the way, I updated my feed reader interface to include navigation similar to Instagram:
# 21:20 
capjamesg[d] Still work to do but it’s a start.
# 21:24 
[tantek]1 capjamesg[d] I implemented a relatively minimal Service Worker during IWC SF
# 21:24 
[tantek]1 pretty sure my notes about it are there in the session description or maybe a link to the blog post
# 21:27 
capjamesg[d] What did you use it for?
# 21:28 
capjamesg[d] Oh I see your example on the service worker page. Exciting!
# 21:36 
[aciccarello] I've used service workers mostly for providing offline caching and occasionally request intercepting.
# 21:38 
capjamesg[d] Hm. I have just read that you can’t save data to local storage in a service worker…
# 21:40 
[aciccarello] No you can't but there is a caching api
Osvik[d] joined the channel
# 21:50 
@moondeerdotblog Updated plugin-conversation (aside from the README) to utilize Sass style parameters and statically fetched JSON feeds. These two comments happen to be reply tweets bounced over by http://Brid.gy: https://github.com/moonbuck/plugin-conversation (twitter.com/_/status/1483918542944800777)
jacky and strugee joined the channel
# 22:52 
[aciccarello] This library is really useful for PWA caching https://developers.google.com/web/tools/workbox/
# 23:00 
[snarfed] capjamesg you may be interested in https://snarfed.org/posting-to-the-indieweb-from-your-phone, old and hand wavy and micropub only but similar ideas
# 23:04 
[snarfed] and [tantek] is right, offline support should be expected in readers, and fortunately most big feed readers' mobile apps have had it for a while now, it's pretty common
# 23:05 
[snarfed] probably less so on web, if only because PWAs themselves are rare, much less offline support
tetov-irc joined the channel
# 23:30 
[aciccarello] PWA install experience is still sub-optimal unfortunately
# 23:34 
[tantek]1 it's not really well specified from an ecosystem perspective tbh