#dev 2025-05-26

2025-05-26 UTC
grufwub and LadyBanana joined the channel
#
[tantek] The use case of linking directly to a GitHub edit link without knowing if the reader is logged into GH is an interesting one. I think the key principle to follow here is user predictability and dependability
#
[tantek] So like if your site knows it's you that's logged into your site, then maybe a direct GH edit link with relevant=edit makes sense bc your site can guess that you're also signed into GH
#
[tantek] Or if your site auths people with sign-in to GH then similarly your site knows that a GH edit link will work to directly edit a textarea so rel=edit makes sense
#
[tantek] Otherwise it may be more user friendly to link directly to the page's source code in GH but without the edit path, and use rel="code repository" (or whatever we end up with per brainstorming) to reliably provide a repo link which then may have a direct edit pencil icon button
#
[tantek] (This is all re: [KevinMarks] example that he shared which has a page on histe direct linking to the edit path for that page's source on GH)
jeremy, barnaby, mort8088, Robert1, bugliker0 and stefen joined the channel
#
doesnm can someone say dobrado alternative?
balintm joined the channel
#
capjamesg dobrado alternative
#
capjamesg πŸ™‚
#
doesnm genius
#
doesnm but if serious?
#
perryflynn Is a static site generator an option? Otherwise I only know WordPress and TYPO3.
#
doesnm perryflynn: ssg is not because it's just a website. Services like webmentions, microsub, microsub, indieauth and etc need to be delegated to other daemons
#
doesnm wordpress can provide but they are too danger to use (every day i see a newspaper about some plugin was hacked and used in evil actions)
barnaby and [Murray] joined the channel
#
[Murray] Pretty out there question: does anyone know of a way to limit Node.js processes per CMD? I'm experimenting with running some of my sites on a CPanel host (it's been a fun weekend of outages and issues πŸ˜„), and the main blocker right now is just that each site ends up competing for resources. I have a hard limit of 100 processes, and each Node app seems to want to spin up as many as it can.
#
[Murray] I've already added a Cron job to clear out unused processes routinely (that helped a lot!) but I'd love to be able to assign blocks, and reserve a handful just in case. I just... have no idea what I'm doing with this kind of server architecture πŸ˜…
#
perryflynn doesnm: I see
#
[KevinMarks] https://bsky.app/profile/alexwlchan.bsky.social/post/3loxg5r6fck2b
#
doesnm cool
#
[schmarty] KevinMarks: oh wow! Quite a rabbit hole.
barnaby, Pixi, sebbu and sp1ff` joined the channel
#
zachary.kai A question, please. Is it worth adding 'en-US' to the lang attribute of html to specify english region?
#
osteophage I don't know the answer to that, but this question reminded me I should add a section on the lang property to the beginner guide I've started working on, so kudos for that.
bugliker06 joined the channel
#
sknebel doesn't hurt. especially with short posts/little content it does happen that auto-translation options in browsers etc get confused
#
sknebel (I assume they are very biased towards english, but still)
#
[Murray] @zachary.kai are you talking about the root `<html>` element? If so, yes, it's definitely worth it; it has accessibility and translation benefits! If you're talking about using the `lang` attribute on a subsecton of a site (say a `<blockquote>` or a `<p>`), then specifying the language is typically enough (e.g. `en`) and is still definitely worthwhile. Very few things (if any?) actually use the additional context of `-US`. That said, as
#
[Murray] sknebel mentioned, it doesn't hurt, and (particularly with English and French) I have heard that it can help with specific translation tools.
[social] joined the channel
#
[social] [KevinMarks] that looks interesting. I don’t have issue with Pinboard and in recent months have had productive chats with Maciej and there have been a fair amount of updates. I like the sharing out, but also looking at what those in my network are bookmarking. I’ve always had a back up to my social bookmarking (starting with http://del.icio.us), my personal site’s homemade CMS started as a (what is now called) linklog (and travel log t
#
[social] bring back into my Blogger when I got home, due to many hotels blocking FTP back in the late 1990s and early 2000s).
#
[social] I have a lot of not so public second bookmark capture services locally in apps, but I keep thinking of rebuilding my linklog, importing my ~78k bookmarks, and keeping a structure that could work to integrate somewhere for networked social bookmarks and/or linklogs.
#
[social] I’ve set aside the Alex Chan piece for later reading.
GuestZero_ joined the channel
#
[tantek] lang=en-US is also incrementally better (assuming that's the right dialect for the content) than lang=en bc that's usually ignored by tools and services due to presence in templates and copy/pasta in lots of pages. Classic example of invisible metadata rot
bterry joined the channel
#
zachary.kai sknebel / [Murray] / [tantek] That's great to know, thank you so much! It's on my list of things to implement.
#
carrvo artlung (or any other css guru): I am using `grid-template-columns` with `grid-column: N / span 1` to give the Nth column, but how do I ensure that it is the only element for the row without having it's width become the whole row (and lose positioning)? Or is grid simply the wrong approach in the first place?
[artlung] joined the channel
#
[artlung] harder (for me!) to visualize without seeing the fr'instances. But that makes me kind of think that you would find repeat and auto-fit useful. See this stackoverflow answer which does a nice job. https://stackoverflow.com/a/46227025/63094
#
[artlung] _(for most layouts, there's a way to do it in grid, but if you have more... arbitrary elements to be added as child elements of to the grid display: flex is great, and then you decide on the max-width and flex-grow of the child elements and things slot into place. all of this is easier said than done but you could do worse than sharing here to for feedback)_
balintm joined the channel
#
[artlung] last thought: `grid-template-areas:` is great, but if you have numbers of items that are unpredictable named areas can overlap in ways one does not intend
#
carrvo I can show it at the next HWC for sure.
#
capjamesg I have submitted the Edit Button extension to Chrome.
#
capjamesg I'm looking into Safari.
#
capjamesg There are so many steps to submit an extension to Safari.
#
capjamesg I need XCode 😭
#
doesnm capjamesg: you can't have xcode? as i seen you are on macos
#
capjamesg I can but I don't need it for all the other browsers πŸ˜‚
#
doesnm it's ecosystem :P
#
[artlung] And I believe admission to that ecosystem and continuing releases requires paying money to Apple on an ongoing basis unless browser extensions are an exception.
#
[artlung] capjamesg[d]++ go man go!
#
Loqi capjamesg[d] has 52 karma in this channel over the last year (213 in all channels)
#
capjamesg Yeah. You need to have an Apple Developer subscription.
#
capjamesg I'm not 100% sure if you need it if you plan to distribute outside of the App Store. I think that's an option, but I haven't looked into that side yet.
#
capjamesg πŸ‘€
#
capjamesg https://cdn.discordapp.com/attachments/866577430886350869/1376620459952570428/Screenshot_2025-05-26_at_18.58.00.png?ex=6835fd36&is=6834abb6&hm=888842349c247c6923138d1ffbd659bf2142cf85a005f60368035fc80aba68d4&
duanin2, luca and barnaby joined the channel
#
capjamesg https://cdn.discordapp.com/attachments/866577430886350869/1376637486763081741/IMG_0996.PNG?ex=68360d11&is=6834bb91&hm=4c317387bac3397c92aa199114125c461ca1a5f6882fc86a7eac6221c7e730da&
#
capjamesg After a lot of work I have the extension working on iOS!
#
capjamesg It only works in Safari though due to what I think are Apple restrictions on extension use in non-Safari browsers on iOS.
ttybitnik and balintm joined the channel
#
[tantek] Wow!
barnabywalters joined the channel
#
capjamesg I have also submitted to the Chrome and Edge stores.
#
capjamesg Edge was very strict about Manifest v2 vs. v3.
#
capjamesg They wouldn't let me include `page_action` that Firefox still supports 😭
#
capjamesg So my build process will now need to make a separate Manifest for Edge.
#
capjamesg The Safari submission process is quite involved so I'll probably tackle that tomorrow.
#
[tantek] this whole add-on development and submission process itself sounds quite involved and worthy of a post even if it's just your notes
#
capjamesg It really is.
grufwub joined the channel
#
trwnh (catching up) [tantek] capjamesg [KevinMarks], my use case is most closely (3) or subset: link to the "edit link" of the "same"/"source" resource, but potentially cross origin. just using gitea/forgejo instead of github. it doesn't make sense to point to anything other than specific _edit uri
#
trwnh i think the real pain point here is lack of consistent cross-origin (federated) identity for the agent
#
trwnh in the ideal case you are already authenticated to the website so it can selectively render a rel=edit link while "knowing" that when you land on the _edit page, your current credentials should be accepted just as well
NaomiAmethyst3 joined the channel
#
trwnh the "misleading" part seems to be the idea that, when logged out of gitea/forgejo, you will be redirected to a login, then redirected back to the _edit page
#
trwnh to me, this is not really any different than linking to any other resource that might happen to redirect or require auth. if i reply to a private post then i have no idea who someone else's audience includes. "in reply to this thing you can't see" might be a degraded UX but it doesn't make the "reply" relation/predicate somehow inaccurate
barnaby joined the channel
#
trwnh basically i am making the claim "here's where you can edit this page", but when you get there the bouncer might not recognize you immediately (because no consistent Web identity) and you will be asked to see the front desk before coming back
#
capjamesg trwnh++ for the thoughtful points.
#
Loqi trwnh has 2 karma over the last year
#
capjamesg In Firefox, you can selectively show a web extension depending on a condition. This means you can show an edit button only if a page is editable. Showing a button only if a user can edit the page feels like the ideal experience. Promoting rel=edit without any precondition regarding auth makes it hard to strive toward that goal.
#
trwnh i don't know if i want to add auth to a site solely to detect whether i should render an "edit this page" link, when the invitation to edit the page extends to the unauthed general public also (with the auth at the destination being a formality of the edit *process*, not of the edit *relation*)
#
capjamesg I think this is where a "view source" comes in.
#
capjamesg A rel=code or equivalent would let you say "here's the code for this page" without specifying whether the user can edit.
#
trwnh maybe? it's kind of an "edit source" where "source" is different from view-source:
#
capjamesg This could be consumed by an extension in a waterfall algorithm, where you: Show edit if the user can actually edit the page, show view source to everyone else, or show nothing if no source or edit link is present.
#
capjamesg Yeah. The naming needs work. Confusion with view-source is less than ideal 😭
#
trwnh my problem with rel=code or similar is that there are specifically different paths depending on whether you go to /src/ or /_edit/
#
trwnh the proposed behavior is essentially two steps instead of one
#
trwnh you have no idea whether the rel=code will let you rel=edit
#
capjamesg In the case of a static site, yes.
#
capjamesg *yes, that is true
#
trwnh is there a way to detect whether you are authed to a different origin? presumably no, it could even be a security issue
#
capjamesg If I follow the "Edit this page" button on https://www.elastic.co/docs/reference/query-languages/ when I'm not logged in to GitHub, I see:
#
capjamesg https://cdn.discordapp.com/attachments/866577430886350869/1376687876217245727/Screenshot_2025-05-26_at_23.25.34.png?ex=68363bff&is=6834ea7f&hm=ba8e9116deb8d76cc44f70bd87b50952c334088a637d67b7ee03e6005bd4234a&
#
capjamesg [edit] If I follow the "Edit this page" button on https://www.elastic.co/docs/reference/query-languages/ when I'm not logged in to GitHub, I see:
#
capjamesg https://cdn.discordapp.com/attachments/866577430886350869/1376687876217245727/Screenshot_2025-05-26_at_23.25.34.png?ex=68363bff&is=6834ea7f&hm=ba8e9116deb8d76cc44f70bd87b50952c334088a637d67b7ee03e6005bd4234a&
#
[tantek] right it's a privacy issue
#
capjamesg Yeah, not at a different origin.
#
[tantek] I think silo misleading UI has normalized misleading UI in general and so we have come to tolerate it when we shouldn't.
#
[tantek] Two dependable and predictable steps is MUCH more user friendly, user comforting, than a single (likely) misleading and undependable step
#
[tantek] I agree with capjamesg that it makes more sense to show the general public a "view source" rel=code link, just as the http://indieweb.org wiki does when you are not logged in
#
[tantek] Or the Mozilla wiki does when you are not logged in
#
[tantek] That's 100% predictable and dependable by the user
#
[tantek] If you are logged into your own site, then sure, go ahead and detect that on your backend and show yourself the edit link because you know if you are logged into your site as you (e.g. via IndieAuth), then you are most likely also logged into the cross-origin edit link, and furthermore, you as the individual who built it has full fore-knowledge of what to expect so you won't be surprised
#
[tantek] the other MAJOR problem with tolerating or normalizing the "verb" -> "show the user a login prompt/screen instead of doing the verb" behavior is that it is RIPE for creating (and normalizing, and reinforcing) a phishing UI
#
trwnh maybe there's some kind of weird CORS thing you can declare to say that going from wiki.trwnh.com/foo to git.trwnh.com/sites/wiki/_edit/content/foo.md is okay, like git.trwnh.com declares ahead of time that its local storage can be accessed by wiki.trwnh.com and check for a cookie or something. seems complicated but how else would wiki.trwnh.com know you are logged into git.trwnh.com
#
[tantek] random web page -> "edit this page" link (with or without rel=edit, though with rel=edit would make the add-on an accessory) -> cross-origin domain that "looks like" github/gitlab/gitea etc. with the exact same login screen presentation to phish your credentials.
#
[tantek] they could even go to the trouble of mimicking the 2FA UI, e.g. on GitHub, to get that from you in real-time as well
balintm joined the channel
#
trwnh i guess i can see it being expected in a private deployment for some organization perhaps (you might reasonably expect SSO for wiki to extend to gitea)
#
[tantek] sure, within an org that uses SSO for the viewing of pages and the editing of pages, that could work seamlessly
#
capjamesg Impersonating UIs is an interesting security consideration.
#
trwnh but i just don't think we'll solve identity across the entire Web overnight sadly πŸ˜”
#
capjamesg I wonder if anything consuming rel=edit links should warn the user the first time they go to a different origin.
#
capjamesg trwnh Unfortunately not, but every step is progress ✨
#
[tantek] capjamesg, interesting question. might be useful to allow building up of rel=edit "destinations" like that
#
trwnh it would be unfortunate to say "rel edit should not be used cross origin bc auth reasons" but that seems to be the takeaway
#
[tantek] including auto-learning from domains that rel=edit link to themselves which the user clicks on
#
[tantek] trwnh better to start conservative and user-dependable, user-safe, and explore ways to expand it later, than start too flexible and make it open to abuse, another vector for vulnerabilities etc.
#
[tantek] that's been a big longstanding lesson in web standards development
#
[tantek] the amount of effort put into attempting to lock down and secure things that started out as "flexible" has been nuts
#
[tantek] there are UI workarounds (that take extra implementation on the website, and steps for the user) to enable cross-origin edit links reliably
#
[tantek] e.g. start with, requiring users to sign into your website (e.g. via IndieAuth)
#
trwnh right, i was thinking a script hosted on git.trwnh.com could figure out if you are logged in, then you CORS on wiki.trwnh.com to allow the script to run from git.trwnh.com
#
[tantek] then, it's possible to present a UI to allow users to opt-into "edit" links which requires sign-in with the destination of your cross-origin edit links
#
trwnh i'd like for this to be static site friendly since i use Hugo to build all this
#
[tantek] e.g. sign-in with your IndieAuth, then if the website uses Github for example, it could implement an opt-in checkbox [ ] or button [Sign-in with GitHub] to enable "edit" links, and then your site can implement e.g. https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/building-a-login-with-github-button-with-a-github-app for that
#
[tantek] Similar to how https://brid.gy/ implements a "Sign in with GitHub" button to enable publishing (POSSEing) to GitHub
#
[tantek] so it's definitely doable
#
[tantek] except you can implement Sign-in with GitHub with only the "identity" or "authn" permissions, not read/write permissions
#
capjamesg trwnh I used to have a bookmarklet for editing my site: https://jamesg.blog/2025/02/16/my-static-site-editing-bookmarklet
#
capjamesg [edit] trwnh I used to have a bookmarklet for editing my site: https://jamesg.blog/2025/02/16/my-static-site-editing-bookmarklet
#
trwnh at the very least i might rework my edit link partial in Hugo to try using a script or extension but i am not looking forward to it haha
#
capjamesg I now have a browser extension that lets me show an edit button for a URL pattern and, when clicked, takes me to a page that redirects me to the corresponding GitHub page.
#
capjamesg I need to do a full write-up on how it all works at some point.
#
[tantek] capjamesg btw confirmed the rel-edit add-on works on W3C wiki, Mozilla wiki (when signed in of course)
#
capjamesg Yayy!
#
Loqi :D
#
[tantek] capjamesg, may I add to its Readme noting a handful of sites that have been verified to work with it?
#
capjamesg Yes, please!
#
[tantek] what is rel-edit
#
Loqi rel-edit is a microformat for linking a page to a URL that lets you edit a page https://indieweb.org/rel-edit
#
capjamesg My main focus right now is on cleaning up the settings page. I fixed the dark mode issue, but it's not released yet.
#
[tantek] Makes sense. I still can't get the "User natural language heuristics" checkbox to stick
#
[tantek] I'll help with some README PRs for now
barnaby joined the channel
#
[tantek] yeah re: fake login screens and phishing, a big part of improving security on the web is NOT teaching users to be phished, i.e. encouraging existing trusted/legitimate sites to NOT adopt UI patterns which inadvertently teach users to be phished. Thus links that claim to do one thing (verb), but actually make the user sign-into another domain first, should be avoided.
#
[tantek] Because such UI patterns, especially on trusted/legitimate sites, are literally teaching users to trust by reference (with the implied incentive of the original "verb" they were attempting) and provided their credentials to some cross-origin site linked by a different site.
#
[tantek] This probably deserves a longer write-up or at least a blog post starting with "Why ..." so folks can provide a citation when asking trusted/legitimate sites to NOT put such links on their pages
bugliker0 joined the channel