#social 2020-05-04

2020-05-04 UTC
ajordan, jussi, emilis, xmpp-social and emilis_info joined the channel
# 08:34 
dansup BradKoehn[m]: was a joke mate, getting AP code simpler and cleaner is challenging, kudos ;)
xmpp-social, ajordan and jussi joined the channel
# 15:47 
BradKoehn[m] More fun with C2S: most ActivityPub servers restrict GET requests with CORS, preventing C2S apps from accessing objects. https://socialhub.activitypub.rocks/t/cors-restrictions/658
# 15:49 
csarven Pretty much. Client can try to use a proxy if the request doesn't go through
# 15:51 
BradKoehn[m] Yeah, that's what my app does.
# 16:03 
csarven Same here.
# 16:05 
csarven My app uses the user's preferred proxy endpoint if their WebID specifies, otherwise, the app will use one that's shipped with the app (but configurable nevertheless)
# 16:08 
pukkamustard csarven (IRC): I like how you made that configurable via WebID. What's your app? What is the "preferred proxy endpoint" predicate?
# 16:12 
csarven pukkamustard: App is https://dokie.li/ . Using `solid:preferredProxy` for now. We have some open issues to get through before introducing it (or another term along those lines) in the vocab.
# 16:14 
csarven Doesn't matter what the term is or where it is. Just need that notion - user declaring their preferred proxy in their profile.
# 16:15 
pukkamustard Is there a specification on how the proxy in preferredProxy can be used?
# 16:17 
pukkamustard aha, just saw the GitHub issue and the note in Gitter (solid:preferredProxy "https://example.org/proxy?uri="). Nice.
# 16:17 
csarven Just https://github.com/solid/vocab/issues/26 . Expecting a URI Template basically as the value.
# 16:17 
Loqi [csarven] #26 Property to indicate an agent's preferred proxy endpoint for applications to use
# 16:19 
pukkamustard I ran into the same problem with an app I'm working on (GeoPub - https://inqlab.net/2020-04-06-geopub-activitypub-for-content-curation.html). Happy to see such a solution.
# 16:22 
csarven #CORSPITA
# 16:24 
BradKoehn[m] Yeah. There's an issue already on Mastodon for this; add your 👍 and comments to encourage them to use proper CORS settings. https://github.com/tootsuite/mastodon/issues/10400
# 16:24 
Loqi [wiktor-k] #10400 Enable CORS for statuses and inboxes (ActivityPub API)
# 16:31 
csarven BradKoehn[m] pukkamustard Solid servers require CORS in that all actions will be allowed. Access control will be handled separately at a deeper level - there is an ACL document specifies authorization policies per resource.. what agent .. access modes etc.
# 16:40 
BradKoehn[m] Yes, that's the way it should work. I'm kind of surprised it wasn't included in the ActivityPub specification.
ajordan, xmpp-social and wavis joined the channel
# 19:03 
melody most servers don't support AP C2S on purpose
# 19:03 
melody and CORS would for sure be out of scope for the ActivityPub spec since AP doesn't assume browsers are involved at all
# 19:09 
BradKoehn[m] Without specifiying it, AP presumes that browsers cannot be involved. Servers don't have to support C2S clients of their own, but without supporting CORS they prevent any C2S clients at all.
# 19:13 
melody and if they aren't supporting C2S that seems fine to me
# 19:17 
BradKoehn[m] Let me be clear: I'd like to write a web-based C2S client for my own server. If I send it an object with e.g., `"attributedTo": "https://example.com/actor/bob"`, and the `example.com` server doesn't allow CORS, my client (which is logged into my server), cannot download the Actor object.
# 19:17 
BradKoehn[m] That's what I mean by "without supporting CORS there can be no C2S clients at all."
# 19:21 
BradKoehn[m]  * Let me be clear: I'd like to write a web-based C2S client for my own server. If I send it an object with e.g., `"attributedTo": "https://example.com/actor/bob"`, and the `example.com` server doesn't allow CORS, my client (which is logged into my server), cannot download the Actor object.
# 19:21 
BradKoehn[m] That's what I mean by "without supporting CORS there can be no browser-based C2S clients at all."
# 19:22 
BradKoehn[m]  * Without specifiying it, AP presumes that browsers cannot be involved. Servers don't have to support C2S clients of their own, but without supporting CORS they prevent any browser-based C2S clients at all.
ajordan, xmpp-social, lanodan and tsyesika9 joined the channel