#dev 2024-05-16

2024-05-16 UTC
#
aaronpk ok i think i got it
#
aaronpk https://indieweb.org/FedCM_for_IndieAuth
#
aaronpk GWG if you want some light reading ^^
#
GWG I'm putting together an ODroid H4+, but while I'm installing the software...yes
#
aaronpk Should be a complete guide to both the IndieAuth server and client implementation
ttybitnik joined the channel
#
[schmarty] aaronpk++ exciting!
#
Loqi aaronpk has 42 karma in this channel over the last year (125 in all channels)
#
aaronpk now i'm wondering if i could set up a fedcm proxy service that uses your existing indieauth server ... could be the fastest way to bootstrap this here
#
[schmarty] aaronpk: i think this is a typo in the new page? the "IdP config file" section lists the url `http://login.example.com/.well-known/web-identity` but i think that should be `http://login.example.com/fedcm/config.json` to match the example from the previous section?
#
aaronpk checking...
#
aaronpk correct
#
[schmarty] woohoo, reading comprehension! 😂 thanks for the fix!
#
Loqi giggles
#
aaronpk ok this is live on actual webmention.io now
#
aaronpk next i'm going to see what it would take to build a fedcm proxy service where you bring your own indieauth endpoint
#
aaronpk maybe i will call it Fridgy
geoffo, [aciccarello] and gRegor joined the channel
#
aaronpk Well *I* thought it was funny
#
gRegor lol, seconded :D
jacky, [0x3b0b], [Al_Abut] and geoffo joined the channel
#
pcarrier aaronpk[d] "This MUST be at the eTLD+1, and cannot be at a subdomain." <--- which spec causes that to be true? it's a bummer
#
pcarrier OK, going through https://developers.google.com/privacy-sandbox/3pcd/fedcm-developer-guide
#
pcarrier [edit] OK, going through https://developers.google.com/privacy-sandbox/3pcd/fedcm-developer-guide
geoffo, barnaby and bterry joined the channel
#
[tantek] Hahahahaha Fridgy++
#
Loqi Fridgy has 1 karma over the last year
#
Loqi nice
#
sandra I found out why the rel alternate thing doesn't work on Akkoma: https://github.com/Chocobozzz/PeerTube/issues/6389#issuecomment-2114654659
barnaby joined the channel
#
[tantek] I’m suspicious of the "security concerns", rel=alternate has been an established part of the web platform long before Akkoma, ActivityPub, or Mastodon were even a glimmer in anyone's eye
#
[tantek] If someone can't cite an actual working example exploit then I'm calling bs
[Murray] joined the channel
#
capjamesg Maybe this was already discussed, but ATP has a paper summarising its architecture and position in the broader social web ecosystem: https://arxiv.org/pdf/2402.03239
[tantek] joined the channel
#
[tantek] what is ATP?
#
Loqi It looks like we don't have a page for "ATP" yet. Would you like to create it? (Or just say "ATP is ____", a sentence describing the term)
#
[tantek] what is pdf;dr?
#
Loqi pdf;dr is when you avoid clicking a link because it's a PDF https://indieweb.org/pdf;dr
[Ros] joined the channel
#
aaronpk pcarrier: that's a requirement from the FedCM spec. It's to prevent IdPs from essentially using infinite subdomains to track users. A lot of the motivation of this spec is preventing tracking that is currently being done with 3rd party cookies and long redirect chains.
#
pcarrier Changed the signature derivation logic @ found.at, now even if you use the same password for multiple pages there's no trace of that. Privacyyy
#
pcarrier (I include the path in the salt, instead of just the hostname)
Guest6 and [Scout] joined the channel
#
ryokagriffin asking here because I don't keep up with stuff as much as I should - is there an alternative to cookies when it comes to storing a non-authenticated user preference (ie. theme choice) long term?
#
ryokagriffin No local storage either, zero javascript.
#
IWDiscord <r​yokagriffin>
#
aaronpk no javscript? that leaves cookies
#
[Murray] Was going to suggest local storage, guess not. If you're not wanting to use _any_ JS then I think the answer is basically no. You can do a decent amount using URL parameters, which could be hardcoded. I know people have exerimented with entire to-do apps and things built entirely into URLs
#
ryokagriffin Yeah my only cookieless option I can think of is rendering every in-page URL with a parameter that determines the theme, but this wouldn't survive search or bookmarks if preferences changed anyway.
#
ryokagriffin I was pretty sure cookies was the only option but I might've missed some magical new fangled thing everyone is using that I didn't know about 🙂
#
[Murray] Nah, cookies or local storage for something like that 😉
#
[Joe_Crawford] And the time where one could use the limited storage of Adobe Flash is long in the past. https://www.macromedia.com/support/documentation/en/flashplayer/help/help02.html#117121
#
[Joe_Crawford] (Kind of an insidious loophole)
#
ryokagriffin haha I'm all for insidious loopholes, but not flash based ones
#
pcarrier what's wrong with cookies here?
#
cophee im late to the party but the new 11ty image transform plugin seems awesome!!!
#
pcarrier not asking what's wrong with cookies in general, but if you want to persist something for the server to see…
#
ryokagriffin Nothing wrong with cookies, just occurred to me that there might be an alternative
#
pcarrier yup cookies are it
#
ryokagriffin thought as much. thanks everyone 🙂
#
[Joe_Crawford] Browser fingerprinting is another mechanism—the sequence would be to collect every possible variable that is specific to the visitor and call that matrix of values unique identifiability. This falls down as browsers update IP address changes, people use multiple devices, so you’d have to have a plan for changes to parts of the data. You’d also need to capture that client side with JS and send it to a server during the session and
#
[Joe_Crawford] it serve as a pseudo cookie.
#
pcarrier yeah I was gonna suggest fingerprinting, but without JS not much to be done
#
pcarrier you can see exactly how much by copying your request as eg cURL in the dev tools
#
pcarrier basically user agent, language preferences, IP address which are fairly bad signals (multiple users per IP and multiple IPs per user, user agent changes with updates)
#
pcarrier even JS fingerprinting sees serious limits, like the display size changes with orientation, plugging and unplugging external displays, etc.
#
ryokagriffin that's a funky idea, using profiling. Themes: One little cookie vs thousands of lines of advertiser-oriented code to loosely determine and track an individual
#
ryokagriffin I was wondering if there was anything neat I could do with cached data or something, though this would involve javascript. Something like randomise the favicon then parse the cached one to determine uniqueness
#
ryokagriffin (this is entirely theoretical, I'm going with the cookie option, but it's fun to think about)
#
[Joe_Crawford] localStorage is the other common option. I’m not familiar enough with navigator.storage / StorageManager API to know enough about how it works—it seems like it might be a synonym for localStorage but I could be dead wrong.
jacky and gerben joined the channel
#
aaronpk curious about peoples thoughts on this: https://github.com/fedidcg/FedCM/issues/585
#
aaronpk in particular [snarfed]
#
Loqi [preview] [aaronpk] #585 Allow IdP registration and RPs to match on a "type"
Guest6_, [jeremycherfas] and [snarfed] joined the channel
#
[snarfed] aaronpk++ hell yes!
#
Loqi aaronpk has 43 karma in this channel over the last year (126 in all channels)
#
[snarfed] the type registry question is a fair one. I don't know the answer, and I know there's a ton of prior art and understanding of whether/when to use a registry vs let the commons evolve, how to avoid dupes and manage overlapping types, etc
#
[snarfed] regardless, lov eit
Guest6, jeremycherfas, jacky, petermolnar, sebbu2, rjomara580, ancarda, chenghiz__, Guest1350_, vikanezrimaya, eb, mcepl, Saphire, capjamesg, roxwize, oxtyped, amyiscoolz, streety and RapidRotator joined the channel
#
aaronpk well that's an idea, could an indieauth server use the HTTP Origin header as the client_id instead of having the client pass in its URL? https://github.com/fedidcg/FedCM/issues/586
#
capjamesg Does anyone use 11ty? I have a page where I'm trying to render a title dynamically, but it shows up as the templated text in the page title tag.
#
capjamesg https://airportpianos.org/pianos/tll/
#
capjamesg The code is https://github.com/capjamesg/airport-pianos/blob/main/airports-pages.njk#L12
[Paul_Robert_Ll] joined the channel
#
[Paul_Robert_Ll] Try:
#
[Paul_Robert_Ll] ```"renderData": {
#
[Paul_Robert_Ll] "eleventyComputed": {
#
[Paul_Robert_Ll] }
#
[Paul_Robert_Ll] }```
#
[Paul_Robert_Ll] "title": "{{ airport.name | safe }}",
#
[Paul_Robert_Ll] Or perhaps even just:
#
[Paul_Robert_Ll] ```"eleventyComputed": {
#
[Paul_Robert_Ll] }```
#
[Paul_Robert_Ll] "title": "{{ airport.name | safe }}",
gRegor joined the channel
#
capjamesg [Paul_Robert_Ll] It is still not working 😦
#
[Joe_Crawford] would the existing `<h1>{{ airport.name | safe }}</h1>` also need to be replaced with `<h1>{{ title }}</h1>` ?
#
capjamesg I think it should be okay?
#
capjamesg It's the <title> tag that's causing the problem.
#
[Joe_Crawford] I see I see. Sorry. I've only toyed with 11ty.
#
[Joe_Crawford] I see that `og:title` is also empty.
#
[Paul_Robert_Ll] Similar bug reported here: https://github.com/11ty/eleventy-base-blog/issues/15
#
capjamesg PRs are welcome!
#
[Paul_Robert_Ll] If possible, I wouldn’t have the `safe` filter in data, but in your template
#
capjamesg I added that to see if it would help. It didn't.
#
[Paul_Robert_Ll] Looks like you might have some illegal characters in that part of the file
#
[Paul_Robert_Ll] https://chat-uploads.indieweb.org/files/2024/05/dev-20240516-205626-screenshot_2024-05-16_at_22.56.13.png
#
capjamesg 😬
#
capjamesg I copy-pasted from Discord.
#
capjamesg Good to know I shouldn't do that.
#
[Paul_Robert_Ll] This works:
#
[Paul_Robert_Ll] ```...
#
[Paul_Robert_Ll] "noHero": true,
#
[Paul_Robert_Ll] "eleventyComputed": {
#
[Paul_Robert_Ll] "title": "{{ airport.name | safe }}",
#
[Paul_Robert_Ll] }```
jacky joined the channel
#
[tantek] copy/paste code from Discord sounds like a good way to get 0wned
#
[Joe_Crawford] A thing Facebook does that I really appreciate is console.log() a warning that if you're not a developer and someone told you to paste things into browser dev tools they probably don't have your interests at heart.
#
aaronpk https://media.aaronpk.com/2024/05/16140735-9815.png
#
sebbu [Joe_Crawford], i think i also saw that warning on another site
#
capjamesg Discord!
#
sebbu but i was only retrieving cookies, not executing js, so i switched to "application tab" (previously storage tab)
#
IWDiscord <c​apjamesg>
#
capjamesg https://cdn.discordapp.com/attachments/866577430886350869/1240776855997517875/Screenshot_2024-05-16_at_22.24.05.png?ex=6647cafe&is=6646797e&hm=160966261ef74fa8b95f2a43f91226577c8af9cc1fd548922c88c57c29e409ba&
#
capjamesg (Screenshot from Discord)
#
aaronpk haha the jobs link
#
sebbu yeah, i confirm, fansly also show that message
#
sebbu $:D
ttybitnik, jacky, [KevinMarks], sp1ff, amyiscoolz and [0x3b0b] joined the channel