#dev 2023-06-02

2023-06-02 UTC
# 00:36 
gRegor https://xoxo.zone/@jamesid@mozilla.social/110470858340051874
gRegorLove_ joined the channel
# 00:49 
[tantek] Direct server-local link: https://mozilla.social/@jamesid/110470858327528256 — and I strongly encourage anyone that this appeals to apply! (feel free to DM me if you have any questions)
# 00:51 
superkuh All that wasted tech and attack surface just to replicate a fraction of what .html+cached images can do.
# 01:20 
epoch dunno if anyone here saw yet, but Web Share API became w3c recommendation. https://www.w3.org/blog/news/archives/9931
# 01:20 
Loqi [preview] The Web Applications Working Group has published Web Share API as a W3C Recommendation. This specification defines an API for sharing text, links and other content to an arbitrary destination of the user’s choice. The available share targets are no...
eitilt1 joined the channel
# 03:16 
epoch updates the wiki page about it
gerben, IWSlackGateway, [tantek], bterry, Xe, gRegor, srushe, vikanezrimaya, ancarda, eb, capjamesg, alecjonathon, wagle, holiday_medley and [KevinMarks] joined the channel
# 13:52 
capjamesg I need some security expertise.
# 13:52 
capjamesg I have built a tool (spa.js) that lets you turn a website into a SPA.
# 13:52 
capjamesg https://github.com/capjamesg/pwa.js/blob/main/pwa.js
[Murray] joined the channel
# 13:53 
capjamesg I was going to run an eval() on all JS that the script finds on your site so that JS on different pages can load when you click a link.
# 13:53 
vladimyr Not an expert but I can try :)
# 13:53 
capjamesg I can assume on my personal website that the JS is trusted since I put it there. But if a site has subpaths run by different services, spa.js may present problems?
# 13:54 
capjamesg Suppose I run jamesg.blog and I have jamesg.blog/wp/ that runs WordPress. If my WP is compromised and I have a SPA that runs scripts on the site, the parent jamesg.blog could also be compromised since it could load JS from /wp/.
# 13:54 
[KevinMarks] there's a lot of caeful sandboxing and execution contexts involved
# 13:54 
vladimyr What are you trying to achieve? Pre-execute scripts from other pages?
# 13:54 
capjamesg Yeah.
# 13:54 
vladimyr May I ask why?
# 13:55 
vladimyr I mean what's the motivation behind it
# 13:55 
capjamesg I want my website to be a SPA. But some pages have scripts that aren't rendered on every page. For example, my maps pages have scripts that only render on maps pages.
# 13:56 
capjamesg If the site is a SPA, I need a way to execute those scripts when I go on a map page, otherwise the page will not render.
# 13:56 
capjamesg [KevinMarks] say more?
# 13:56 
capjamesg Whitelisted route handling?
# 13:58 
[KevinMarks] there's a whole gamut of things you need to think about sandboxing https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
# 14:02 
vladimyr capjamesg: security-wise there is no issue in executing scripts from other pages you host cause attack surface is exactly the same as you navigated to that page
# 14:03 
vladimyr Also you just reinvented pjax
# 14:03 
vladimyr https://github.com/defunkt/jquery-pjax/blob/153262eda33e31119eabb97cd5f14365580a3b35/jquery.pjax.js#L734
# 14:05 
vladimyr ^ don't eval scripts, find all script tags and clone/recreate them inside host document
# 14:06 
capjamesg What about scripts without an src? <script>...</script>
# 15:06 
[tantek] SPA--
# 15:06 
Loqi SPA has -1 karma over the last year
[jacky] joined the channel
# 15:08 
[jacky] I have the wild idea of moving my filesystem for my site's backing into WebDav instead of some object storage setup
# 15:08 
[jacky] mainly to use something based on community standards
# 15:08 
[jacky] but there's an added benefit where I can slide in RSVPs and events automatically into a calendar
gnoo and Seirdy joined the channel
# 15:59 
IWDiscordRelay <c​apjamesg#4492> Why [tantek]?
# 16:01 
vladimyr Doesn't work with disabled js, transfers way more bytes over the wire than it is usually necessarily, often breaks back button and at the end of day not everything needs to be an app
# 16:01 
vladimyr Nothing wrong with plain old sites
# 16:02 
[tantek] vladimyr++
# 16:02 
Loqi vladimyr has 1 karma over the last year
# 16:02 
[tantek] what is a SPA
# 16:02 
Loqi A single-page application (SPA) is a web application or web site that fits on a single web page with the goal of providing a user experience similar to that of a desktop application https://indieweb.org/SPA
# 16:04 
aaronpk SPAs are best only if you actually need the features an SPA provides, which is it turns out not very often
[schmarty] joined the channel
# 16:04 
[schmarty] capjamesg: why do you want to make your site function as an SPA?
# 16:05 
[schmarty] several features of SPAs are available to regular websites!
# 16:09 
aaronpk Now I'm curious what you're referring to!
gRegor joined the channel
# 16:15 
[tantek] with decent service workers / offline support, you don't need to do anything "SPA" for like 99% of use-cases
# 16:16 
[jacky] htmx supremacy (haha)
# 16:16 
[tantek] proof by example: here's a "SPA" that needs zero SPA-tech: https://asin.cc/
# 16:16 
Loqi [preview] Tantek Çelik
# 16:16 
[tantek] yes it's very simple yet I think demonstrates the point
# 16:16 
[tantek] lol maybe I need an h-app there so Loqi has something better to say
# 16:17 
[tantek] I suppose I should make it "installable" now that iOS supports that
# 16:21 
[schmarty] yeah service workers covers many big features like offline and caching. adactio has done some good posts on this, including one apparent pro-SPA argument about "i need smooth transitions between pages" is getting browser support that should also work across pages. https://adactio.com/tags/spas
# 16:22 
Loqi [preview] [Jeremy Keith] Rich Harris: Hot takes on the web 🌶️ - YouTube
I don’t agree with all of these takes-of-varying-spiciness, but Rich Harris is always worth paying attention to.
# 16:29 
vladimyr [tantek]: this thing still has code on the backend too? I don't see where do you process asin query param clientside 🤔
# 16:31 
[tantek] vladimyr, yes it has literally the same computational code on the backend as the frontend. On the clientside (with JS) there is no need to generate a query param so there is no need to "process" it. The frontend short circuits that and just handles the form interaction directly and produces a result.
moose333 joined the channel
# 16:33 
vladimyr Same way that you've shortcircuited form submission you could read query param clientside and always do computation locally? 💡
# 16:34 
vladimyr Makes it truly offline first 🙃
# 16:43 
[tantek] inspired by petermolnar asking in #indieweb-chat do we need a "notrain" in addition to "noindex" for meta robots / robots.txt to communicate that site / content MUST not be used for training AI models?
# 16:44 
[tantek] though "notrain" may need disambiguation from "not rain"
# 16:44 
[tantek] or a better suggestion
# 16:45 
[schmarty] we have an RFC for websites that are teapots now let's figure out which websites are "rain"
# 16:47 
[tantek] vladimyr, read query param clientside could be interesting for "completeness" just to show it could be done, however it's not something you'd likely run into as the only UI path to generate a query param URL is to use the site w/o JS, and then load that query param URL sometime later *with* JS enabled
# 16:47 
[schmarty] i wonder how many ai training sets blatantly contain material that is marked as denied by robots.txt or noindex. a "new" spec without some kind of enforcement weight doesn't feel particularly useful given we already have tools.
# 16:49 
gRegor My first thought was "but I like 🚆" until I got to the AI bit
# 16:49 
[tantek] lol yes needs new name
# 16:49 
vladimyr [tantek]: what about bookmarklet?
# 16:50 
[tantek] vladimyr a bookmarklet can construct the url with "?asin="
# 16:50 
vladimyr That sounds like DNT happening all over again
# 16:50 
[tantek] without* "?asin="
# 16:50 
[tantek] try it
# 16:50 
gRegor What is DNT
# 16:50 
Loqi Do Not Track (also known as DNT) is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms https://indieweb.org/DNT
# 16:51 
[tantek] vladimyr, except that many companies that are training AIs already support robots.txt / noindex in general (in their crawlers, apps etc.) e.g. Google supports it both for search and things like Google Calendar crawling/subscribing
# 16:51 
[tantek] not all sure, but you'd cover the "big ones" at least
# 16:52 
[tantek] it would be a good incremental start
# 16:52 
[schmarty] what is Global Privacy Control?
# 16:52 
Loqi It looks like we don't have a page for "Global Privacy Control" yet. Would you like to create it? (Or just say "Global Privacy Control is ____", a sentence describing the term)
# 16:53 
[tantek] vladimyr, the suggestion is still interesting to me (to handle the query param client side explicitly as a "just in case"). I created a stub repo  feel free to file an issue requesting that! https://github.com/tantek/asin.cc/issues
# 16:53 
[schmarty] DNT << [https://globalprivacycontrol.org/ Global Privacy Control] (GPC) is a remarkably similar more recent spec.
# 16:53 
Loqi ok, I added "[https://globalprivacycontrol.org/ Global Privacy Control] (GPC) is a remarkably similar more recent spec." to the "See Also" section of /Do_Not_Track https://indieweb.org/wiki/index.php?diff=88131&oldid=68148 
# 16:54 
gRegor I see on there that Reddit dropped DNT support. Did it get dropped more widely or am I misremembering? Need to update the dfn?
# 16:55 
gRegor According to enwp doesn't have wide adoption. Apple discontinued it and Firefox still supports it in private browsing mode
# 16:57 
IWDiscordRelay <c​apjamesg#4492> [schmarty] I want to allow someone to take a video call while navigating between pages.
# 16:58 
[tantek] gRegor, yeah worth updating the DNT page and probably worth creating a GPC page to link to instead / see also
# 16:58 
[tantek] DNT is quite dead
# 16:58 
[schmarty] i did some reading on this when we implemented GPC at work for CCPA compliance. it seems like most sites just ignore DNT now for several reasons but mostly that it doesn't have teeth and the surveillance ad industry was like "what are you gonna do about it?"
# 16:58 
[schmarty] technically speaking GPC is nearly identical to DNT
# 16:59 
gRegor I'll let someone else more familiar give it a go. Linking to enwp could be useful too for more details.
# 16:59 
[schmarty] capjamesg: good luck; have fun! :zany_face:
# 17:01 
IWDiscordRelay <c​apjamesg#4492> angelo has this working!
# 17:02 
[tantek] has what working?
# 17:03 
IWDiscordRelay <c​apjamesg#4492> Video conferencing across pages via SPA.
# 17:04 
[tantek] the first time I saw that working was in another discord server. it was kinda surreal tbh
# 17:04 
[tantek] so that's a good 1% use-case then 🙂
# 17:05 
[tantek] SPA << Use-case: continuous uninterrupted seamless video conferencing even when navigating across "pages" on the same site
# 17:05 
Loqi ok, I added "Use-case: continuous uninterrupted seamless video conferencing even when navigating across "pages" on the same site" to the "See Also" section of /single-page_application https://indieweb.org/wiki/index.php?diff=88133&oldid=88127 
# 17:07 
vladimyr To broaden [schmarty]'s point here is what ublock origin's author says about GPC and possibility of ublock sending GPC signal by default https://reddit.com/comments/qlj2kl/comment/hj5j1zn?context=3
# 17:07 
[tantek] well well well there's apparently an ai.txt proposal for this
# 17:07 
[tantek] sigh
# 17:07 
[tantek] well-known << ai.txt: https://site.spawning.ai/spawning-ai-txt
# 17:07 
Loqi ok, I added "ai.txt: https://site.spawning.ai/spawning-ai-txt" to the "See Also" section of /well-known https://indieweb.org/wiki/index.php?diff=88134&oldid=87997 
# 17:08 
[tantek] nope nope nope. P3P--
# 17:08 
Loqi P3P has -1 karma over the last year
[snarfed] joined the channel
# 17:08 
[snarfed] never heard of GPC, but it sounds like P3P from ages ago?
# 17:08 
[tantek] GPC has zero RDF
# 17:08 
[schmarty] ahahaha
# 17:08 
Loqi [schmarty]: lol
# 17:09 
[schmarty] sorry, i worked on a P3P parsing project in academia years ago back when search engine API terms of service didn't forbid you from reranking search results.
# 17:10 
[schmarty] i don't recall even once encountering "RDF". at best sites just published a single `P3P` HTTP header with short tokens that we used as flags to indicate things they collected/shared.
# 17:11 
[tantek] lol ai.txt cook for your self fail
# 17:11 
[schmarty] (mostly sites just published an invalid P3P header so that IE would choke on it and allow third-party cookies)
# 17:11 
[tantek] well-known << ai.txt proposer ^ fails to implement it themselves, https://site.spawning.ai/ai.txt returns a 404
# 17:11 
Loqi ok, I added "ai.txt proposer ^ fails to implement it themselves, https://site.spawning.ai/ai.txt returns a 404" to the "See Also" section of /well-known https://indieweb.org/wiki/index.php?diff=88135&oldid=88134 
# 17:11 
gRegor Are we sure an AI didn't make that site?
# 17:12 
[tantek] well-known << another citation for launch of ai.txt: https://twitter.com/spawning_/status/1663635132761219073
# 17:12 
Loqi ok, I added "another citation for launch of ai.txt: https://twitter.com/spawning_/status/1663635132761219073" to the "See Also" section of /well-known https://indieweb.org/wiki/index.php?diff=88136&oldid=88135 
# 17:17 
[schmarty] the arguments around copyright and licensing to restrict use in AI training feels very muddy to me right now. i am not aware of anything like what petermolnar asked for, but i'd love a copyleft "if you train an AI on my data then you also have to release your training set and trained models freely" or other "poison pill" licenses. 😈
# 17:20 
[snarfed] in practice this sounds very vague and underdefined. spam filters are models. search indexing and ranking are models. link previews that guess which parts of your page are title and content are models. (meta tags notwithstanding.) locking them all out sounds like...overkill
# 17:25 
[tantek] right snarfed, there's "noindex" specifically for indexing, and thus it seems reasonable to pick something similarly discrete (specific) for "no LLM training" or perhaps "no neural net training" to generalize for media
# 17:26 
[tantek] that may impact some spam filters, though unlikely to impact all
# 17:30 
petermolnar I just want to lock out generative ais
# 17:30 
petermolnar Poisoning does sound fun, but locking out is better.
# 17:35 
[tantek] presumably for text, images, all media/content types?
# 18:00 
[tantek] anyone know if there is or has been a proposed "follow your nose" alternative to robots.txt? bonus points if there are any implementations
holiday_medley joined the channel
# 18:21 
superkuh I had "anthropic ai" useragent spend 3-4 days last week mirror my entire site. I threw in some documents specially for them.
# 18:21 
superkuh Came from amazon ec2 ip space.
# 18:21 
superkuh Like http://superkuh.com/library/MiscText/chicken.pdf
# 18:23 
[tantek] superkuh you've seen this right ... ?
# 18:23 
[tantek] what is chicken
# 18:23 
Loqi 🐔 chicken is a type of post supported by idno https://indieweb.org/chicken
# 18:24 
[tantek] feel free to add yourself https://indieweb.org/chicken#Indieweb_Examples 😂
# 18:47 
[jacky] ooh that's a good idea
# 18:47 
[jacky] tbh it's mean but I'd 100% make my site respond to known bad user agents
# 18:53 
[jacky] okay nvm about adding WebDav support
# 18:55 
gRegor haha
# 18:55 
gRegor ❌ WebDav ✔️ chicken
holiday_medley joined the channel
# 19:02 
[tantek] ^ needs Drake meme
# 19:05 
gRegor Considered it, but was lazy :D
mouse[d], IWDiscordRelay, petermolnar, holiday_medley and rubenwardy joined the channel
# 19:12 
[tantek] hence see #indieweb-chat 🙂
geoffo, mouse[d], capjamesg[d], Dr_DinoMight[d], rattroupe[d], kongaloosh[d], Silicon[d], shaunix[d], tracydurnell[d], darylsun[d], Favicon[d], IWDiscord, aaronpk[d], ms_boba[d], eddev[d], Grayson[d], IndieWebCamp_IRC, jacky[d], Ramon[d], Murray[d], Nezteb[d], angelo_, xyzzy[d], DJ_[dj_je][d], steinaech[d] and isellsoap[d] joined the channel
# 19:59 
aaronpk capjamesg: one of my thoughts that's been in the back of my mind for a while is to automatically generate a slug for my posts. Right now, I've been finding myself manually choosing slugs that are 1-2 words, based on the most significant words in the post
# 20:00 
capjamesg Oooh.
# 20:00 
aaronpk I noticed your tagline on linguist.link is "Find the most surprising words and most common n-grams on a web page" which is similar to how i've been thinking about doing it
# 20:01 
aaronpk i think my rough heuristic is: use a hashtag for the post if there's a hashtag in the text. then use the most unique proper noun.
# 20:01 
capjamesg https://linguist.link/?url=https://aaronparecki.com/2023/03/09/5/bluesky-and-oauth
# 20:01 
aaronpk if no proper noun, then use the most unique term
# 20:01 
aaronpk this searches only within the page right now tho right?
# 20:01 
capjamesg Yep.
# 20:01 
aaronpk right, so my thought is to use the entire set of my posts as the search space
# 20:03 
capjamesg I tried calculating surprisal (https://github.com/capjamesg/linguist.link/blob/main/readability.py#L50) on only my blog.
# 20:03 
capjamesg It didn't work too well.
# 20:03 
capjamesg "younger" for example was seen as a surprising word because I rarely used it.
# 20:03 
capjamesg It was a meaningful word in context, but not enough to be considered representative of the post content.
# 20:03 
aaronpk what if you prioritized searching only proper nouns first?
# 20:04 
capjamesg That could work.
# 20:04 
capjamesg I haven't tried that.
# 20:04 
capjamesg nltk does proper noun identification.
# 20:04 
capjamesg Process text -> find proper nouns -> chunk them (so "taylor" and "swift" become one, rather than two separate values), then use the most common proper nouns?
# 20:05 
capjamesg (brainstorming)
# 20:05 
aaronpk i've been thinking about this for a while, because basically every time i post something, i choose a slug for it, so i've been paying attention to my own rules I use for finding a slug that I want for the post
# 20:05 
aaronpk which actually sounds like an interesting ML training data set
geoffo joined the channel
# 20:54 
vladimyr Few days ago there was some chat about enwp.org Not sure how well known is it, but there is similar service for MDN docs mdn.io (source code: https://github.com/lazd/mdn.io)
# 20:54 
Loqi [preview] [lazd] mdn.io: The "I'm feeling lucky" URL shortener
# 20:55 
capjamesg Oh that's nice!
# 20:56 
vladimyr Lifesaver for quick api doc refreshers
# 21:38 
[Murray] [capjamesg] on the off change they're useful, RE: SPA-like abilities without a full SPA framework, I remember being intrigued by Turbo and Hotwire: https://turbo.hotwired.dev/ Not sure they work for your use-case, but may have some interesting ideas
# 21:39 
[KevinMarks] There's also https://mavo.io/
# 21:42 
[Murray] Oh wow I had not heard about this, definitely interesting!
ahappydeath, [benatwork] and gxt__ joined the channel
# 22:21 
[tantek] what is Mavo
# 22:21 
Loqi It looks like we don't have a page for "Mavo" yet. Would you like to create it? (Or just say "Mavo is ____", a sentence describing the term)
# 22:22 
[tantek] huh I thought we had a page on it
# 22:23 
[tantek] Mavo is definitely very interesting & clever. I don't know if it got much adoption / deployment though. Also the test suite link in the footer returns a 404
# 22:23 
Loqi ok
# 22:23 
[tantek] oop
# 22:23 
[tantek] s
IWSlackGateway joined the channel