#dev 2023-06-17

2023-06-17 UTC
tei_1, gRegorLove_ and tei_ joined the channel
# 05:51 
[tantek] As I was saying about Google buying gTLDs then leaving the domain names business: https://twitter.com/swiftonsecurity/status/1669549218858516480
# 06:00 
vladimyr They are innovative company, there wasn't simply any more room for innovation in that space left /s
# 08:11 
epoch how terrible of an idea would it be for there to be a browser API to get a user's "fediverse account" with javascript?
# 08:14 
vladimyr wdym by getting user's fediverde account? Which user?
# 08:14 
epoch the user using the browser
# 08:14 
epoch a string like @user@host
# 08:15 
vladimyr Um, that assumes user should input their fedi account into browser settings? 🤔
# 08:15 
epoch like now the nostr plugin works
# 08:16 
vladimyr You mean nostr signer extensions holding your private key and exposing signing api?
# 08:16 
epoch sure, but it wouldn't have to do all that
# 08:17 
epoch the simples thing that nostr extension does is just provide an interface for supplying your public key to javascript that asks for it
# 08:18 
epoch like, I figure, a more flexible interface would be preferred
# 08:18 
vladimyr And you want to build something similar providing what exactly to js?
# 08:19 
epoch a little function that asks me if I want to let a website have access to my @user@host
# 08:20 
epoch having it remember my premissions preference would be preferable
# 08:20 
vladimyr Oh you mean literally something like window.fedi.getAccount()
# 08:20 
epoch yep
win0err joined the channel
# 08:21 
epoch I recently learned how to use the userscripts hammer and am seeing nails
# 08:21 
vladimyr Hmm, sounds interesting but I'm not sure what value it brings to the table, trying to think possible scenarios in which user would benefit from js knowing their fedi acc...
# 08:22 
vladimyr Maybe it could improve follow flow where you need to provide your instance?
# 08:22 
epoch fetching webfinger then redirecting them to their configured ostatus follow url template filled in
# 08:22 
epoch yep
# 08:22 
epoch if the api doesn't exist, fallback to just asking for it in a prompt
# 08:23 
vladimyr You basically read my mind, as soon as you mentioned it I thought this is great usecase for userscript :)
# 08:24 
epoch but, preferably, there'd be some standard api to do this instead of me making up something
# 08:24 
vladimyr I'd say this is something worth discussing through FEP https://codeberg.org/fediverse/fep
# 08:25 
vladimyr But it would be nice if you open a discussion with working PoC implemented as userscript or webext
# 08:25 
epoch oooooh. I hadn't heard of FEPs before.
# 08:26 
epoch yeah, I'll let this channel give me crap about this idea before I start pestering other people with it.
# 08:27 
epoch returning an actor URI instead of an @user@host might be better
# 08:27 
epoch or some other method of just providing a json object that can accomodate for any data the user might want a website to have?
# 08:27 
epoch guess permissions would get a little fuzzy there though
# 08:28 
epoch too wide or too narrow, someone will not like it
# 08:28 
vladimyr Permissions could work the same way as mic/cam/geo permissions work
# 08:29 
vladimyr Make it a popup asking user to let given site access their data and provide that neat checkbox to remember their choice
# 08:29 
epoch but for a random json blob that could contain any data, people might want more than "allow" and "disallow" per site
# 08:29 
epoch site, making it fairly narrow scope is probably better
# 08:29 
epoch so*
# 08:30 
vladimyr Don't go too wide, provide just fedi account uri
# 08:30 
vladimyr I honestly wonder why didn't somebody already do exactly that
# 08:30 
vladimyr Especially when there is nostr example setting precedent
# 08:32 
epoch I know there's been some discussion on this kind of stuff before, I just don't remember where
# 08:32 
epoch probably some mastodon issue
# 08:32 
vladimyr OT but lack of code search on codeberg is becoming really annoying
# 08:34 
epoch https://socialhub.activitypub.rocks/t/what-is-the-current-spec-for-remote-follow/2020/7 here's a negative view on the subject
# 08:35 
epoch "another way would be via custom-schemes [...]"
# 08:35 
epoch that's what I'm using now for myself, but those URLs don't work for anyone else :P
# 08:36 
epoch (also, their example bothers me because the action is in the authority section of the url)
# 08:37 
vladimyr My /supersmart/ way of checking whether there are any clientside related FEPs returned zero results https://dezip.org/v1/9/https/codeberg.org/fediverse/fep/archive/d3cd04d8a88ca8b61e4071d73712739efd870098.tar.gz/?search=window
# 08:38 
epoch nice
# 08:39 
epoch having templates for actions other than follow would be handy too
# 08:39 
epoch but, one thing at a time I guess
# 08:40 
vladimyr Um I didn't exactly interpret that discussion same as you did
# 08:40 
epoch if I was going to do that though, I'd have a rel in the webfinger response for each of the activity types in the ap spec
# 08:41 
epoch "I would strongly suggest to not use Remote Follow or try to replicate it’s behavior as it works like phishing: Stating your account on another platform and hopefully being sent to your actual instance for the Follow."
# 08:42 
vladimyr I don't think they'll be opposed to clientside solution cause it should (at least in theory) sound less like phishing than simply inputting your handle into some 3rd party form 🤔
# 08:42 
epoch that is a decent point against doing remote follow that way
# 08:43 
epoch but when you click something it could always redirect you to somewhere that looks like your instance and asks for your password
# 08:43 
vladimyr Also you can always flip things by not providing handle to the site but instead letting site call your api which would generate follow url and do the redirect
# 08:44 
epoch heh. send a follow-request-request ?
# 08:44 
vladimyr something like window.fedi.follow(handle)
# 08:45 
vladimyr Resulting in js driven redirect to your instance with provided remote handle
# 08:45 
vladimyr How does that sound?
# 08:45 
epoch yeah. providing the actions that way seems safer
# 08:46 
vladimyr Basically similar what that nostr nip prescribes
# 08:46 
vladimyr Expose sing/verify actions instead of direct access to pkey
# 08:46 
epoch require that the functions in the fedi object be triggered by a user event similar to how the webshare API requires it for share()
# 08:47 
epoch so a site can't just spam you with automated follow()s
# 08:47 
vladimyr Which is relatively easy to check inside js
# 08:48 
vladimyr Excellent point
# 08:48 
epoch hrm. where should the configuration of the templates be?
# 08:48 
epoch could keep it in webfinger
# 08:48 
epoch have the extension as your home server what the template is
# 08:48 
epoch ask*
# 08:49 
epoch that way users won't have to fiddle with that, they just set their identity url
# 08:49 
vladimyr Or fallback to local ext/script settings
# 08:49 
epoch maybe let local settings override instead?
# 08:50 
epoch default of fallback to webfinger settings... cached a sane amount
# 08:50 
vladimyr Sure? I generally like your way of thinking and making it as painless as possible for users to configure it
# 08:50 
vladimyr Does this thing work for outsiders 🙃
# 08:51 
vladimyr epoch++
# 08:51 
Loqi epoch has 3 karma in this channel over the last year (4 in all channels)
# 08:51 
epoch if webfinger doesn't say anything... I dunno
# 08:52 
vladimyr If webfinger doesn't say anything do nothing?
# 08:52 
vladimyr Or throw error
# 08:52 
vladimyr In any case I'd say it's graceful degradation
# 08:53 
epoch push the important data into clipboard and message about it?
# 08:53 
epoch so they can paste into the "search" bar in their home instance
# 08:54 
vladimyr Maybe but I'd avoid messing with clipboard too cause that again is privacy icky
# 08:56 
vladimyr Um going afk but let me know if you code something up so I can offer my very valuable contributions :P
# 08:56 
epoch o7
# 08:58 
epoch heh. my tampermonkey plugin is shitting the bed
ben_thatmustbeme joined the channel
# 09:08 
epoch I just had to turn the add-on off and on again.
# 09:20 
c​apjamesg Has anyone done any research into content provenance?
# 09:20 
epoch looks up what that means
# 09:29 
c​apjamesg What I have read thus far focuses more on signing documents.
IWSlackGateway, win0err, voxpelli, Loqi and Seirdy joined the channel
# 12:46 
vladimyr @epoch: regarding remote follow and implementing it using custom schemas here is interesting discussion including pointers to prior art https://codeberg.org/fediverse/fediverse-ideas/issues/1
[tantek], tei_, tei_1, eitilt1, [schmarty], epoch, revi and gRegor joined the channel
# 19:26 
gRegor [snarfed], I'm doing some debugging on my site and wondering if the `fed.brid.gy/convert/*` URLs are short-lived? I had some errors with webmentions on my site and re-trying some BF source URLs they're 404 now.
# 19:27 
gRegor Example https://fed.brid.gy/convert/activitypub/web/https://mstdn.social/users/fae2535/statuses/110475750879970925, original post is still published
[snarfed] joined the channel
# 20:32 
[snarfed] gRegor argh no, bug on my side, sorry! will fix
[tw2113_Slack_] joined the channel
# 21:06 
[snarfed] gRegor fixed, thanks for reporting!
[fluffy], mretka, [aciccarello], ahappydeath and bterry joined the channel