#dev 2025-01-05

2025-01-05 UTC
angelo joined the channel
#
GWG aaronpk: What other projects are you going to be updating this week?
#
aaronpk what I actually wanted to do was add indieauth metadata support to indielogin.com, so hopefully i can actually finish that now
#
aaronpk just got stuck doing a bunch of maintenance first instead
#
[tantek] ah yes the frameworks & libraries updates & fixes tax
#
GWG Been there
#
aaronpk i'm still very confused about how this error is happening https://media.aaronpk.com/2025/01/04170457-7310.png
#
aaronpk ooh, i bet this is cloudflare's fault
[snarfed] joined the channel
#
[snarfed] looking forward to recommending https://worksinprogress.co/issue/the-maintenance-race/ (full book still in progress) to everyone here 😆 😢
#
[snarfed] (including to myself! 😐)
[tw2113] joined the channel
#
aaronpk i can't figure it out
#
aaronpk i've tried tricking it in several ways and can't recreate that error
#
[tw2113] give it an evil glare
#
vikanezrimaya e CSP header.
#
vikanezrimaya Thought: CSP prevents injecting arbitrary things into the website (e.g. a rogue Webmention injecting an inline script or style into the page), but at the same time prevents the post author from injecting arbitrary things into e-content (like a custom style for a one-off post), unless special care is taken to inject nonces into script/style tags inside e-content, or, alternatively, hash their contents and send the hashes as part of th
#
vikanezrimaya There are trade-offs here. But the second option is far more secure.
#
vikanezrimaya Less thought is needed about sanitizing content in Webmentions if the content security policy disallows running non-nonced inline scripts.
#
vikanezrimaya Nonces in this case may be more secure than hashes, because a webmention could try a hash collision or to inject a "good" script in a "bad" place somehow.
#
vikanezrimaya Whereas placing a nonce allows running a certain script in a certain place and that place only.
grufwub joined the channel
#
carrvo[d] I would question why you expect webmentions to inject scripts in the first place. I would expect to only inject safe microformats2 text from the source and a link back to the source. That keeps the destination (of the webmention) secure.
#
carrvo[d] Aka display other site's data in your format. Don't try to inject the external site format...
#
carrvo[d] aaronpk I love how the expected value, seen value, and help value are the same. Those are always the most frustrating issues 😔
#
immibis Thought: don't send malicious scripts to the client and rely on the client to catch it with a security policy
#
immibis CSP is solely for defense in depth
#
immibis CSP tries to catch the horse once it already escaped from the barn
scattershot joined the channel
#
carrvo[d] In your case, I believe, the CSP is the browser catching malicious scripts that your webmention handler allowed to be injected into your site. But if you don't allow your webmention handler to inject foreign HTML, then you would be more secure. That is, when your webmention handler is retrieving content from the foreign site, extract non-HTML text that you embed into your own HTML, to then inject. Including striping away foreign scripts (aka,
#
doesnm wait, csp can be setuped only in headers? not meta?
#
carrvo[d] I know I haven't used or implemented a webmention yet, but I am confident in what I am saying (for reasons that you would have to know me for). Please feel free to wait for more proper experts...
#
carrvo[d] Um, I think so (CSP in headers)? Truthfully my confidence in CSP is because it came up recently in this chat and gRegor affirmed my understanding.
gRegor and gRegorLove_ joined the channel
#
carrvo[d] Hey! I can link to messages! https://discord.com/channels/866577279223595018/866577430886350869/1322052791690199080
#
carrvo[d] What is content security policy?
#
Loqi Content-Security-Policy (abbreviated CSP) is an HTTP directive that a site can use to restrict what external resources are retrieved by a browser, to mitigate some XSS and injection attacks https://indieweb.org/Content-Security-Policy
[KevinMarks] joined the channel
#
[KevinMarks] the thing I find most annoying is when libraries do maintenance work just to drop support for older language versions.
#
carrvo[d] Uh... mental twist. You were three different people... and I accidentally thought of all of you as the same person, sorry.
#
catgirlin.space carrvo[d]: should note that discord message links stay as discord message links on irc unfortunately :( i believe the preferred way of linking messages is find their permalink on chat.indieweb.org? so https://chat.indieweb.org/dev/2024-12-27/1735272348502700 for that message :3
#
catgirlin.space [edit] carrvo[d]: should note that discord message links stay as discord message links on irc unfortunately :( i believe the preferred way of linking messages is find their permalink on chat.indieweb.org? so https://chat.indieweb.org/dev/2024-12-27/1735272348502700 for that message :3
#
Loqi [preview] [carrvo[d]] @gRegor Did I understand correctly that content security policy is a header to list the domains/content that the server trusts, so that the browser knows other requests are suspicious?
#
Loqi [preview] [carrvo[d]] @gRegor Did I understand correctly that content security policy is a header to list the domains/content that the server trusts, so that the browser knows other requests are suspicious?
nemonical joined the channel
#
[tantek] catgirlinspace++
#
Loqi catgirlinspace has 1 karma over the last year
#
aaronpk um yeah definitely don't render script tags from external sites from webmentions
#
[snarfed] is anyone familiar with text direction and RTL/LTR override characters and how to handle them on the web?
#
aaronpk ok i finally recreated this, but I had to change some of the logic in order to trigger this, so I'm still not sure how this is actually happening for real https://media.aaronpk.com/2025/01/05080124-5198.png
#
[snarfed] I got this bug report, and I don't know where to start, and honestly I'm surprised that app developers have to do much to handle this at all, instead of browsers themselves, https://github.com/snarfed/bridgy-fed/issues/1666
#
Loqi [preview] [electricduck] #1666 RTL override causing UI problems
#
[tantek] Ooof
#
aaronpk oops, version with proper exact string match https://media.aaronpk.com/2025/01/05080216-3632.png
#
[tantek] [snarfed] there may be a CSS property that you have to put on a span around the external content to "sandbox" any RTL-ness in that external content
#
[tantek] I vaguely remember hearing about this
#
[snarfed] hmm ok. what is an external context, and when do I need to RTL-sandbox it?
#
[snarfed] happy to read an explainer if anyone knows of a good one
#
[snarfed] oh content, sorry
#
[tantek] The reason app developers have to handle it is that only app developers know where the boundary is between the "external" content" that may have such overrides and the "rest of the content"
#
[snarfed] ah, ok
#
[tantek] External content = some strong you got from outside the site, eg user entered
#
[snarfed] ...but I think the result there in the first screenshot in that bug did that ok, without me doing anything explicit ...?
#
[tantek] some string*
#
[snarfed] oh, maybe I get it now. so yeah maybe just separate HTML elements around each bit of external content? 🤷
#
[snarfed] yeah that does it. (block element, not inline)
#
[tantek] Sure there's that default behavior of block elements that works
#
[tantek] Or I believe you can make it work with a span also using something like <span style="unicode-bidi: isolate;">external content here</span> to avoid having that external content affect the text directionality of surrounding text
#
[tantek] Ref: https://developer.mozilla.org/en-US/docs/Web/CSS/unicode-bidi
#
[snarfed] aha thanks, that's more self-documenting
#
[tantek] Yeah
#
[tantek] In general there's a whole category of things you have to do to sanitize or isolate strings from external sources (user entered data)
#
[tantek] Or strings from other people's sites you parse say from a received webmention
#
[snarfed] definitely! this one was new to me
#
[tantek] If if you are a displaying someone's name from an external site, you probably also want such an "isolated"
#
[tantek] "isolate"*
#
[tantek] LMK if that works. Haven't tried it myself but that's what I remember from reading MDN and CSSWG discussions ages ago
#
[tantek] Ok hopefully that's enough that if someone searches chat for webmention and Unicode direction character or CSS or HTML override they will find this discussion
#
[snarfed] yup it does work. thanks!
#
[tantek] Yay!
#
Loqi :D
#
[tantek] Probably worth a blog post for webmention receivers
#
[tantek] And displaying reply contexts!
#
doesnm waiting!
#
[tantek] for?
#
doesnm for post
ttybitnik joined the channel
#
[tantek] linking to the BridgyFed fix for context https://github.com/snarfed/bridgy-fed/commit/fe6da84fc303f6b0470d2d649e62d2717af46ac5
nemonical, GuestZero, gRegorLove_ and sebbu2 joined the channel
#
[KevinMarks] I remember experimenting with this when we were trying internationalization for SocialWG. I think we got twitter to reverse text
#
[KevinMarks] https://web.archive.org/web/20170716045136/http://known.kevinmarks.com/2016/-inline-rtl-works-in-reverse-without-implementers-knowing
#
Loqi [preview] [Kevin Marks] ‮ inline RTL works in reverse without implementers knowing #indieweb
#
carrvo[d] catgirlinspace++ will try to remember for next time.
#
Loqi catgirlinspace has 2 karma over the last year
#
aaronpk capjamesg: you'd probably like this post about email link + passkey login https://rmondello.com/2025/01/02/magic-links-and-passkeys/
#
capjamesg[d] This is a fascinating point: "Something that I’ve learned by working on the user experience around website and app authentication is that, if you need to educate a person to go against what the inline flow naturally leads them to do, that cognitive friction will frustrate or stymie a significant number of people."
#
capjamesg[d] aaronpk I thought about the UX of prompting for a passkey but I preferred the idea of a more explicit "Sign in with a passkey" button.
fluffy, ben and sivoais joined the channel