XSF Discussion - 2019-09-18


  1. zach has left

  2. zach has joined

  3. stpeter has joined

  4. peter has joined

  5. UsL has left

  6. matkor has joined

  7. murabito has left

  8. murabito has joined

  9. UsL has joined

  10. debacle has left

  11. peter has left

  12. jos1264 has joined

  13. kokonoe has left

  14. pdurbin has joined

  15. jos1264 has left

  16. jos1264 has joined

  17. kokonoe has joined

  18. jos1264 has left

  19. mr.fister has left

  20. aj has joined

  21. aj has left

  22. stpeter has left

  23. pdurbin has left

  24. UsL has left

  25. Douglas Terabyte has left

  26. UsL has joined

  27. peter has joined

  28. stpeter has joined

  29. winfried has left

  30. winfried has joined

  31. winfried has left

  32. winfried has joined

  33. matkor has left

  34. matkor has joined

  35. mukt2 has joined

  36. winfried has left

  37. winfried has joined

  38. winfried has left

  39. winfried has joined

  40. mukt2 has left

  41. lskdjf has left

  42. pdurbin has joined

  43. UsL has left

  44. kokonoe has left

  45. UsL has joined

  46. neshtaxmpp has left

  47. neshtaxmpp has joined

  48. Chobbes has left

  49. jabberjocke has joined

  50. peter has left

  51. stpeter has left

  52. zach has left

  53. zach has joined

  54. mukt2 has joined

  55. Yagiza has joined

  56. pdurbin has left

  57. mukt2 has left

  58. andy has left

  59. mukt2 has joined

  60. andy has joined

  61. zach has left

  62. zach has joined

  63. waqas has joined

  64. Douglas Terabyte has joined

  65. mukt2 has left

  66. mukt2 has joined

  67. zach has left

  68. zach has joined

  69. mukt2 has left

  70. Nekit has joined

  71. lumi has joined

  72. mukt2 has joined

  73. Tobias has joined

  74. LNJ has joined

  75. zach has left

  76. zach has joined

  77. Daniel has left

  78. Daniel has joined

  79. mukt2 has left

  80. pdurbin has joined

  81. mukt2 has joined

  82. emus has joined

  83. pdurbin has left

  84. lumi has left

  85. zach has left

  86. zach has joined

  87. karoshi has joined

  88. mukt2 has left

  89. matkor has left

  90. mukt2 has joined

  91. matkor has joined

  92. murabito has left

  93. murabito has joined

  94. zach has left

  95. zach has joined

  96. murabito has left

  97. murabito has joined

  98. waqas has left

  99. jabberjocke has left

  100. jabberjocke has joined

  101. kokonoe has joined

  102. jubalh has joined

  103. kokonoe has left

  104. kokonoe has joined

  105. zach has left

  106. zach has joined

  107. pdurbin has joined

  108. pdurbin has left

  109. j.r has left

  110. kokonoe has left

  111. adiaholic has left

  112. adiaholic has joined

  113. zach has left

  114. zach has joined

  115. kokonoe has joined

  116. gav has joined

  117. kokonoe has left

  118. david has left

  119. mukt2 has left

  120. mukt2 has joined

  121. kokonoe has joined

  122. LNJ has left

  123. jabberjocke has left

  124. jabberjocke has joined

  125. kokonoe has left

  126. adiaholic has left

  127. Alex has left

  128. zach has left

  129. zach has joined

  130. mukt2 has left

  131. Alex has joined

  132. mukt2 has joined

  133. Mikaela has joined

  134. j.r has joined

  135. lovetox_ has joined

  136. COM8 has joined

  137. debacle has joined

  138. zach has left

  139. zach has joined

  140. Steve Kille has left

  141. wurstsalat has joined

  142. jonas’

    Daniel, fixed the 500

  143. Steve Kille has joined

  144. Daniel

    jonas’, thanks. i'm getting a 400 when trying to search

  145. jonas’

    Daniel, can you extract the error?

  146. jonas’

    because search works for me via curl

  147. jonas’

    and in the web ui via browser

  148. jonas’

    Daniel, the search API returns a JSON on 400, with a single "error" key

  149. j.r has left

  150. Daniel

    it says key keywords is required. but i'm 80% i'm setting that. also i haven’t changed the code since it was last working

  151. adiaholic has joined

  152. matkor has left

  153. matkor has joined

  154. LNJ has joined

  155. jonas’

    Daniel, I’m not sure how that error can be caused except if "keywords" is actually missing

  156. jonas’

    I haven’t touched that code since it was last working either, and it works fine locally with curl

  157. jonas’

    $ curl -s \ --data '{"keywords": ["xsf"]}' \ -H 'Content-Type: application/json; charset=utf-8' \ https://search.jabbercat.org/api/1.0/search | jq -C .

  158. jonas’

    lovetox_, > jonas the black banner looks a bit boring I agree, do you have ideas on how to fix that? :)

  159. zach has left

  160. zach has joined

  161. lovetox_

    no i hate webdesign

  162. jonas’

    lovetox_, let me rephrase: If you have a visual idea, I may be able to put it in css/httml :)

  163. jonas’

    lovetox_, let me rephrase: If you have a visual idea, I may be able to put it in css/html :)

  164. Ge0rG

    *cough* https://github.com/horazont/muchopper/issues/15 *cough*

  165. adiaholic has left

  166. pep.

    Ge0rG: I'd make that search button same height as the input field

  167. jonas’

    Ge0rG, I think it might be easy to overlook when integrated in the banner

  168. Ge0rG

    jonas’: that's possible.

  169. Ge0rG

    OTOH, havig two search boxes is slight overkill

  170. jonas’

    but only slight!

  171. COM8 has left

  172. Ge0rG

    most of the vertical space is taken up by meta.

  173. jonas’

    the copy to clipboard will be the first piece of JS on that page, Ge0rG, I hope you feel guilty.

  174. jonas’

    the copy to clipboard will be the first piece of JS on the room list page, Ge0rG, I hope you feel guilty.

  175. Daniel

    jonas’, ok never mind. classic heisenbug. if i log the query beforing sending it it works

  176. Daniel

    so it's not you

  177. Ge0rG

    https://upload.yax.im/upload/kmJi9wW3ylSzcV0P/Screenshot_20190918-100107_Firefox.jpg

  178. zach has left

  179. zach has joined

  180. remko has joined

  181. Ge0rG

    I wanted to paste that screenshot earlier, but yaxim was crashing due to my incorrect use of some StringUtils API

  182. lovetox_

    jonas’ how to whiteliste an avatar?

  183. jonas’

    lovetox_, ask me

  184. jonas’

    it’s documented in the For Owners documentation section

  185. pdurbin has joined

  186. lovetox_

    ok thanks i see you already whitelisted gajim

  187. jonas’

    lovetox_, I had it whitelisted yesterday on launch already, it just took the bot a while to re-scan the gajim muc :)

  188. Ge0rG

    damn, so now I need to load the prosody module after all.

  189. Ge0rG

    And also set the ~horny pe~ yak logo

  190. Ge0rG

    jonas’: great work!

  191. jonas’

    Ge0rG, reload the page

  192. jonas’

    and hover over an entry

  193. lovetox_

    link styling looks a bit weird

  194. Ge0rG

    jonas’: nothing happens?

  195. lovetox_

    i would remove these dots

  196. Ge0rG

    "hover" is not an option on mobile, but then you should probably have a handler for xmpp: there

  197. jonas’

    Ge0rG, yeah, that was my line of thought

  198. COM8 has joined

  199. jonas’

    oh, I forgot to confirm the pull on the live instance. Ge0rG retry

  200. matkor has left

  201. Ge0rG

    jonas’: awesome! I'd just add a space before the clipboard character.

  202. mukt2 has left

  203. jonas’

    there is a space there?

  204. jonas’

    maybe hard-reload your things

  205. jonas’

    (it’s a margin-left: 0.5em)

  206. lovetox_

    would it not be better to copy the xmpp:xx?join link?

  207. jonas’

    lovetox_, you can right-click -> copy link address for that one

  208. winfried has left

  209. Ge0rG

    lovetox_: no

  210. winfried has joined

  211. Ge0rG

    jonas’: ah, I had some intermediate version

  212. Ge0rG

    jonas’: after clicking the clipboard, it remains visible and marked until you click somewhere

  213. jonas’

    intentional

  214. jonas’

    to a certain extent

  215. jonas’

    I want it to be visible while focused so that it can be reached and used with tab

  216. jonas’

    that’s the price to pay for that, I guess

  217. Ge0rG

    so what do I need on prosody 0.11 for MUC avatars?

  218. j.r has joined

  219. jonas’

    Ge0rG, also, reload and retry that click thing

  220. larma has left

  221. Zash

    Ge0rG: There's a community module of course.

  222. Ge0rG

    lovetox_: http://paste.debian.net/1101390/ :(

  223. Zash

    Tho technically possible to only use the included mod_vcard, but then it's read-only and you'd have to manually add the data.

  224. Ge0rG

    jonas’: much better now

  225. Ge0rG

    Zash: | /usr/lib/prosody/modules/mod_a community module.lua: No such file or directory

  226. lovetox_

    yeah Ge0rG i really dont have a solution for that yet

  227. lovetox_

    i want to parse validate jids in the xmpp lib

  228. lovetox_

    but on encountering invalid ones, im not sure what to do

  229. Ge0rG

    lovetox_: don't crash the xml stream.

  230. jonas’

    Ge0rG, wanna tell me what you want to have whitelisted?

  231. wurstsalat has left

  232. Ge0rG

    jonas’: chat.yax.im

  233. wurstsalat has joined

  234. jonas’

    no

  235. jonas’

    yaxim@chat.yax.im?

  236. Ge0rG

    jonas’: the first four of https://search.jabbercat.org/search?q=chat.yax.im

  237. Ge0rG

    maybe also test@chat.yax.im - if you dare

  238. lovetox_

    yeah Ge0rG but thats not so easy, on the other side, server should not send messages from invalid jids

  239. lovetox_

    🙂

  240. jonas’

    the new copy button is super-convenient! :)

  241. larma has joined

  242. jonas’

    the new copy button is super-convenient for building the white-list! :)

  243. pdurbin has left

  244. Ge0rG

    lovetox_: 🤖 will disagree with you.

  245. jonas’

    https://search.jabbercat.org/search?q=xmpp-de the second hit is amusing

  246. COM8 has left

  247. Ge0rG

    lovetox_: from the stacktrace it seems that it's a JID in my roster, ♥@ツ.op-co.de - so that Gajim will never properly connect to my account again

  248. lovetox_

    are you saying this is a valid localpart?

  249. COM8 has joined

  250. matkor has joined

  251. lovetox_

    dont think its the roster to be honest, its a stanza where the from attr has a invalid jid

  252. lovetox_

    roster pushes are from your server, not from contacts

  253. j.r has left

  254. Ge0rG

    Maybe it's presence unavailable then?

  255. lovetox_

    maybe, i will fix that later if i have time

  256. Ge0rG

    lovetox_: I'm not saying that it's a valid JID (I don't know), but I'm saying that it's accepted by my server, and thus shouldn't crash my client.

  257. lovetox_

    but server should really get going with precis

  258. Ge0rG

    Because it's a cheap DoS otherwise.

  259. Ge0rG

    lovetox_: we've had that recently. It should be enforced by the server that's authoritative for the JID.

  260. lovetox_

    thats not an argument, rfc says jids MUST be validated by server

  261. Ge0rG

    If it doesn't, you are rather out of luck

  262. j.r has joined

  263. Ge0rG

    lovetox_: okay, but there are different unicode versions and different xmpp versions. And now everybody can crash your client by sending something from an illegal JID

  264. zach has left

  265. zach has joined

  266. lovetox_

    this local part was allowed once? they really updated the rfc so that already existing accounts got invalid?

  267. Ge0rG

    Where "illegal" depends on your python version, your server version and the position of the moon.

  268. lovetox_

    sounds weird

  269. Ge0rG

    NodePrep and PRECIS aren't an exact match, so you are guaranteed to end up with illegal JIDs _somewhere_

  270. lovetox_

    yeah, i will try to fix that 🙂

  271. Zash

    It's likely that U2665 is undefined in Unicode 3.2 which NodePrep uses.

  272. Zash

    libidn defaults to allowing undefined characters, and thus Prosody does too.

  273. lovetox_

    Ge0rG keep that jid, when i have a fix then you can test if its working 🙂

  274. Ge0rG

    lovetox_: feel free to add it to your roster

  275. lovetox_

    would need a client that allows that, Gajim does not 😃

  276. jonas’

    lovetox_, https://mailarchive.ietf.org/arch/msg/xmpp/a-WhzOTyOq168GujQHgzQ1-DURI for an idea of how deep the mess is we’re in

  277. Ge0rG &

  278. lovetox_

    no i write a test for the xmpp lib 🙂

  279. lumi has joined

  280. murabito has left

  281. murabito has joined

  282. j.r has left

  283. lovetox_

    genius all undefined characters are allowed 😃

  284. j.r has joined

  285. debacle has left

  286. COM8 has left

  287. mukt2 has joined

  288. jubalh has left

  289. murabito has left

  290. murabito has joined

  291. jubalh has joined

  292. Mikaela has left

  293. Mikaela has joined

  294. mukt2 has left

  295. neshtaxmpp has left

  296. neshtaxmpp has joined

  297. mukt2 has joined

  298. j.r has left

  299. j.r has joined

  300. flow

    lovetox_, not by the relevant PRECIS profile. I would suggest to remove the faulty stanza from the stream as first course of action

  301. pdurbin has joined

  302. jubalh has left

  303. adiaholic has joined

  304. debacle has joined

  305. adiaholic has left

  306. adiaholic has joined

  307. j.r has left

  308. j.r has joined

  309. jubalh has joined

  310. neshtaxmpp has left

  311. neshtaxmpp has joined

  312. neshtaxmpp has left

  313. neshtaxmpp has joined

  314. winfried has left

  315. winfried has joined

  316. pdurbin has left

  317. jubalh has left

  318. winfried has left

  319. winfried has joined

  320. mukt2 has left

  321. murabito has left

  322. murabito has joined

  323. zach has left

  324. zach has joined

  325. lskdjf has joined

  326. lovetox_ has left

  327. lovetox_ has joined

  328. lovetox_ has left

  329. lovetox_ has joined

  330. kokonoe has joined

  331. mukt2 has joined

  332. kokonoe has left

  333. murabito has left

  334. murabito has joined

  335. kokonoe has joined

  336. jubalh has joined

  337. Chobbes has joined

  338. kokonoe has left

  339. kokonoe has joined

  340. murabito has left

  341. murabito has joined

  342. Chobbes has left

  343. Chobbes has joined

  344. Chobbes has left

  345. Chobbes has joined

  346. kokonoe has left

  347. LNJ has left

  348. pep.

    https://github.com/xsf/xeps/pull/827 is this some kind of joke? :x

  349. sonny

    yes, sorry I couldn't resist

  350. Zash

    pep.: Read the rest of the XEP

  351. zach has left

  352. zach has joined

  353. pep.

    Zash: I know the xep, I implement it in my rot13 and b64 plugins for poezio.

  354. jubalh has left

  355. murabito has left

  356. murabito has joined

  357. adiaholic has left

  358. adiaholic has joined

  359. Chobbes has left

  360. sonny

    and it still wasn't clear my comment was a joke? I should be more careful 🙂

  361. lovetox_ has left

  362. COM8 has joined

  363. murabito has left

  364. murabito has joined

  365. krauq has left

  366. krauq has joined

  367. COM8 has left

  368. COM8 has joined

  369. COM8 has left

  370. COM8 has joined

  371. Chobbes has joined

  372. kokonoe has joined

  373. krauq has left

  374. krauq has joined

  375. murabito has left

  376. marc_ has left

  377. murabito has joined

  378. mukt2 has left

  379. marc_ has joined

  380. mukt2 has joined

  381. Chobbes has left

  382. COM8 has left

  383. COM8 has joined

  384. COM8 has left

  385. zach has left

  386. zach has joined

  387. marc_ has left

  388. murabito has left

  389. murabito has joined

  390. LNJ has joined

  391. j.r has left

  392. COM8 has joined

  393. jubalh has joined

  394. COM8 has left

  395. j.r has joined

  396. Kev has joined

  397. murabito has left

  398. murabito has joined

  399. zach has left

  400. zach has joined

  401. Chobbes has joined

  402. Kev has left

  403. murabito has left

  404. murabito has joined

  405. murabito has left

  406. murabito has joined

  407. jubalh has left

  408. zach has left

  409. zach has joined

  410. j.r has left

  411. COM8 has joined

  412. COM8 has left

  413. COM8 has joined

  414. COM8 has left

  415. jubalh has joined

  416. murabito has left

  417. murabito has joined

  418. Chobbes has left

  419. COM8 has joined

  420. COM8 has left

  421. j.r has joined

  422. jubalh has left

  423. COM8 has joined

  424. murabito has left

  425. murabito has joined

  426. COM8 has left

  427. zach has left

  428. zach has joined

  429. jubalh has joined

  430. murabito has left

  431. murabito has joined

  432. COM8 has joined

  433. marc_ has joined

  434. COM8 has left

  435. kokonoe has left

  436. COM8 has joined

  437. COM8 has left

  438. zach has left

  439. zach has joined

  440. mukt2 has left

  441. mukt2 has joined

  442. emus has left

  443. COM8 has joined

  444. kokonoe has joined

  445. COM8 has left

  446. emus has joined

  447. j.r has left

  448. mukt2 has left

  449. kokonoe has left

  450. murabito has left

  451. murabito has joined

  452. mukt2 has joined

  453. zach has left

  454. zach has joined

  455. COM8 has joined

  456. j.r has joined

  457. COM8 has left

  458. pdurbin has joined

  459. pdurbin has left

  460. mukt2 has left

  461. COM8 has joined

  462. j.r has left

  463. COM8 has left

  464. LNJ has left

  465. Chobbes has joined

  466. COM8 has joined

  467. COM8 has left

  468. j.r has joined

  469. zach has left

  470. zach has joined

  471. mukt2 has joined

  472. COM8 has joined

  473. COM8 has left

  474. stpeter has joined

  475. peter has joined

  476. Chobbes has left

  477. COM8 has joined

  478. zach has left

  479. zach has joined

  480. david has joined

  481. COM8 has left

  482. waqas has joined

  483. Link Mauve

    “07:45:33 flow> Link Mauve, that C&C Renegage remake?”, yes, they are using XMPP for their lobby thing now.

  484. Link Mauve

    Not for the actual game (yet?).

  485. Link Mauve

    “18:47:16 Zash> Are there clients that still fail if you stop advertising <session/>?”, IIRC libpurple did.

  486. zach has left

  487. zach has joined

  488. Link Mauve

    That’s second-hand experience from IIRC Maranda.

  489. jonas’

    excellent, so if we ever want to move past pidgin, that’s how.

  490. Zash

    Confirmed. "Error initializing session" it says.

  491. Zash

    It's sending the session thing even if it's not advertised.

  492. MattJ

    When we added <optional> there were definitely other clients that failed too

  493. MattJ

    I think one was Psi/Gajim, and probably some other that is extinct these days

  494. MattJ

    and clients couldn't just drop it, because ejabberd had weird behaviour if you didn't do it

  495. MattJ

    even though it is, and always was, a no-op in Prosody

  496. jonas’

    yeah, weeiiiird behaviour

  497. MattJ

    iirc it would let you log in, but timeout your session after some time

  498. MattJ

    even though you were using it fine

  499. jonas’

    I’m pretty sure I was unable to send stanzas

  500. jonas’

    otherwise I would probably not have noticed when developing aioxmpp

  501. wojtek has joined

  502. jonas’

    unfortunately, that was back in 2015 where I wasn’t as good at commit message writing as I’m now, so the error behaviour is lost in history

  503. Daniel

    i vaguely remembering not being able to send and receive message or something

  504. Daniel

    more than a subtle 'will log you out at some point'

  505. mukt2 has left

  506. Link Mauve

    jonas’, could you also whitelist SVGs from chat.jabberfr.org on muclumbus?

  507. jonas’

    Link Mauve, SVGs are not supported

  508. jonas’

    Link Mauve, and I generally only white-list single rooms where I trust the owners or domains where only admins can create rooms (and I trust the admins to a certain extent)

  509. Ge0rG

    jonas’: but then again, you trust *me*

  510. mukt2 has joined

  511. Daniel

    jonas’: are the avatars going to be exposed over the api as well?

  512. Holger

    MattJ, Daniel, jonas': FWIW yes back then you got no error from ejabberd when sending random stanzas while it was waiting for `<session/>`, but you'd neither be able to send nor receive anything. You also shouldn't time out though as long as you do send random crap :-)

  513. zach has left

  514. zach has joined

  515. mukt2 has left

  516. Link Mauve

    jonas’, why do you limit it to ¬SVG?

  517. mukt2 has joined

  518. Link Mauve

    jonas’, once you start supporting SVG, you can whitelist the first 12 entries here: https://search.jabbercat.org/search?q=chat.jabberfr.org

  519. Link Mauve

    And also the first four here: https://search.jabbercat.org/search?q=chat.khaganat.net

  520. wojtek has left

  521. Zash

    Hm, why don't we have 157 for individual rooms?

  522. Ge0rG

    Why don't we have 157 for individual users?

  523. adiaholic has left

  524. adiaholic has joined

  525. aj has joined

  526. mukt2 has left

  527. waqas has left

  528. jonas’

    Link Mauve, I limit it to PNG and JPEG to be precise

  529. Link Mauve

    Any reason for that?

  530. jonas’

    Link Mauve, rescaling

  531. MattJ

    I heard SVG has trouble with that

  532. Link Mauve

    It’s free to do in the browser with SVG.

  533. jonas’

    and embedding SVG would require a separate domain to prevent any funny javascript attacks in SVG

  534. jonas’

    or at least a CSP

  535. Link Mauve

    jonas’, use <img/> instead of embedding it.

  536. jonas’

    all things I don’t know about

  537. jonas’

    Link Mauve, will that stop it from executing scripts?

  538. Link Mauve

    Yes.

  539. jonas’

    are you sure? if so, why?

  540. Link Mauve

    Yes I am; because images are expected since about forever to not contain scripts.

  541. jonas’

    yeah well, I expect the web to be sane since forever and it isn’t

  542. Link Mauve

    And browsers would be very cautious to not open such a huge hole that can even do cross-site things.

  543. zach has left

  544. zach has joined

  545. jonas’

    they have traditionally done that, I don’t trust browsers

  546. moparisthebest

    I was fairly confident SVGs even with image could execute javascript

  547. Link Mauve

    For instance example.org has an <img src="https://evil.com/image.png"> on some page, now evil.com starts serving a SVG containing a script at this URL.

  548. jonas’

    Link Mauve, am I still safe when I use the SVG as background-image?

  549. Link Mauve

    jonas’, yes, it also is in an image context.

  550. Link Mauve

    moparisthebest, do you have a link to an attack description?

  551. Link Mauve

    jonas’, what isn’t would be to use <object/> or <embed/> or <iframe/>.

  552. MattJ

    jonas’, https://www.w3.org/wiki/SVG_Security

  553. jonas’

    MattJ, thanks

  554. moparisthebest

    yea if browsers actually implement it like that it should be safe, neat

  555. Seve

    >For instance example.org has an <img src="https://evil.com/image.png"> on some page, now evil.com starts serving a SVG containing a script at this URL. Haven't you said earlier to use <img/>?

  556. Link Mauve

    Seve, yes.

  557. Seve

    Ah you mean nothing would happen if that is the case

  558. Link Mauve

    Yes, this story is about as obvious as it could be, and the reason why browsers took so long to accept SVG in image contexts.

  559. moparisthebest

    jonas’ is still right though in that if someone links to https://somedomain.com/evil.svg that'll still execute javascript and be able to steal cookies and XSS from somedomain.com, so if you allow SVG uploads, you need different domain or CSP or similar

  560. MattJ

    Right-click->View Image

  561. Link Mauve

    Or a data: URI.

  562. Link Mauve

    Or a Blob.

  563. Link Mauve

    Or any of the various mechanisms that aren’t tied to the domain.

  564. Link Mauve

    (CSP is very good.)

  565. j.r has left

  566. j.r has joined

  567. adiaholic has left

  568. jonas’

    moparisthebest, thanks, good point

  569. jonas’

    a CSP it is

  570. jonas’

    the sane thing would be to disable all csript things for the avatar endpoint?

  571. adiaholic has joined

  572. Link Mauve

    Probably also all external CSS.

  573. jonas’

    everything

  574. jonas’

    how do I do that?

  575. Ge0rG

    Just burn the web. With napalm

  576. Link Mauve

    At JabberFR, for our HTTP File Upload domain, we use: Content-Security-Policy: frame-ancestors 'none'; default-src 'none'; img-src 'self'; media-src 'self'; report-uri /report-csp-violation

  577. Link Mauve

    I should add style-src 'self'.

  578. Ge0rG

    Link Mauve: do you have a csp violation listener at /?

  579. j.r has left

  580. j.r has joined

  581. Zash

    ``` ~$ ssh snikket2 ~$ more /etc/nginx/snippets/csp-strict.conf add_header Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self'"; ```

  582. Link Mauve

    Ge0rG, yes.

  583. Link Mauve

    For every domain.

  584. moparisthebest

    for a site like yours jonas’ I'd probably just disable everything with CSP, then enable as you need

  585. jonas’

    yeah

  586. Link Mauve

    That’s default-src 'none'.

  587. Ge0rG

    Link Mauve: what's the implementation you are using?

  588. Ge0rG is asking for a friend

  589. jubalh has left

  590. jonas’

    default-src 'none'; seems to still allow SVG to be rendered

  591. Link Mauve

    Ge0rG, the one which uses a ton of memory.

  592. Zash

    It's funny when you disable the CSS in SVG.

  593. Ge0rG

    Link Mauve: ejabberd?

  594. Link Mauve

    Zash, yes, which is why you should also have style-src 'unsafe-inline'.

  595. Link Mauve

    Ge0rG, ah no, Prosody.

  596. Link Mauve

    With the mod_http_upload community module.

  597. Ge0rG

    Link Mauve: prosody is a csp violation reporting tool?

  598. jonas’

    Link Mauve, > frame-ancestors 'none'; default-src 'none'; style-src 'unsafe-inline';

  599. jonas’

    does that sound good?

  600. Link Mauve

    jonas’, sounds nice yeah.

  601. Link Mauve

    You may want to add a listener so that you know what your users are being prevented from fetching, at least for a short while.

  602. jonas’

    ... nah :)

  603. jonas’

    I only set it on the avatar endpoint

  604. jonas’

    people will complain when their avatars aren’t working

  605. Link Mauve

    Ge0rG, ah no, I’m using one which sends them to my JID.

  606. Link Mauve

    Let me figure it out.

  607. Link Mauve

    pep., do you remember where I put it?

  608. mukt2 has joined

  609. adiaholic has left

  610. jonas’

    Link Mauve, https://search.jabbercat.org/search?q=jabberfr

  611. jonas’

    the others will be updated when the scanner gets to them

  612. Link Mauve

    \o/

  613. Link Mauve

    I should add the new muc#roominfo_webchat_url thing we are going to accept shortly. ^^

  614. Link Mauve

    Since we also have that.

  615. Link Mauve

    https://chat.jabberfr.org/ could use an emoji instead of a SVG now, for the join bubble.

  616. jonas’

    indeed

  617. jonas’

    thinking of directly embedding small avatars as data URLs for faster loading

  618. jonas’

    thinking of directly embedding small avatars as data URIs for faster loading

  619. winfried has left

  620. winfried has joined

  621. jonas’

    not sure how to write the query so that it only fetches the avatar from the database for the result list if it’s small enough

  622. zach has left

  623. zach has joined

  624. Link Mauve

    Indeed, on just chat.jabberfr.org it takes about 700ms for me to download every SVG.

  625. jonas’

    to the SQL console!

  626. jonas’

    ugh, the only standard-SQL-way of doing it might be with a self-join

  627. jonas’

    hm, however, doing that would break caching

  628. moparisthebest

    another column that's only non-null if small enough? :/

  629. jonas’

    in postgres, I can do: select mime_type, case when length(data) < 16384 then data else null end from avatar;

  630. jonas’

    but locally I’m testing with sqlite, soo....

  631. adiaholic has joined

  632. jonas’

    oh, sqlite also has case

  633. moparisthebest

    was going to say I feel like that should work in sqlite

  634. jonas’

    and sqlalchemy supports it, too

  635. jonas’

    now the question is, does it even make sense to embed the avatars?

  636. jonas’

    right now, we send a 304 for avatars if they’re still cached on the client

  637. jonas’

    we can’t do that for the result page

  638. jonas’

    so we’d send all avatars of a page to the client, inefficiently base64-encoded

  639. jonas’

    every time, since they can’t benefit from caching

  640. moparisthebest

    you'd probably get more benefit from supporting http/2

  641. adiaholic has left

  642. adiaholic has joined

  643. jonas’

    tell that to apache

  644. moparisthebest

    because then browser could request all the images over one connection at the same time etc

  645. moparisthebest

    apache surely supports http/2 by now?

  646. jonas’

    dunno

  647. jonas’

    if it isn’t on by default, I don’t bother

  648. Link Mauve

    moparisthebest, they already can with HTTP/1.1.

  649. moparisthebest

    not in parallel though?

  650. jonas’

    SVG support brought a few new avatars to the listing

  651. jonas’

    HTTP/2 seems to be a clusterfuck regarding the parallelism anyways. no idea why they thought it’d be a good idea to re-implement multiplexing which we alreday have with TCP

  652. Zash

    jonas’, itym SCTP

  653. Link Mauve

    moparisthebest, how does HTTP/2 do that?

  654. moparisthebest

    maybe, I mean http/3 is coming, but regardless it's still way faster for browsers

  655. jonas’

    or that

  656. Zash

    But we can't have SCTP because broken middleboxes

  657. Zash

    And NAT, and all the other things that ruin all nice things

  658. Zash

    Is MPTCP still alive?

  659. moparisthebest

    Link Mauve, like jonas’ said they reinvented multiplexing etc etc

  660. Link Mauve

    So instead we have WebRTC, which is like SCTP over RTP.

  661. Link Mauve

    moparisthebest, but in parallel you mean over multiple TCP connections, or…?

  662. moparisthebest

    http/3 over quic sounds pretty sweet though

  663. moparisthebest

    no just one

  664. mukt2 has left

  665. winfried has left

  666. Steve Kille has left

  667. winfried has joined

  668. moparisthebest

    it's probably just a config option to enable http2 jonas’ you should look at it

  669. Link Mauve

    moparisthebest, what is the difference between that and HTTP/1.1 pipelining then?

  670. moparisthebest

    I assume it's new enough because you support TLS 1.3 :) https://www.ssllabs.com/ssltest/analyze.html?d=search.jabbercat.org&s=2a01%3a4f9%3a2b%3a2c50%3a1010%3a1010%3a0%3a1&latest

  671. jonas’

    Link Mauve, HTTP/2 introduces its own framing on top of TCP

  672. jonas’

    so you’d be requesting resources A B C, and then receive chunks A1 B1 C1 A2 B2 C2 ...

  673. jonas’

    also the server may push you resources of which it expects you to need some

  674. moparisthebest

    https://stackoverflow.com/questions/34478967/what-is-the-difference-between-http-1-1-pipelining-and-http-2-multiplexing I guess, plenty of different search results

  675. Link Mauve

    jonas’, oh, I see.

  676. moparisthebest

    bottom line is, it's far far faster, so turn it on

  677. jonas’

    it’s also much more broken

  678. jonas’

    https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

  679. moparisthebest

    than ?

  680. jonas’

    I’m going to wait until the HTTP/2 implementations settle down before deploying that and having yet another headache to deal with

  681. moparisthebest

    http 1.1 pipelining is pretty broken too iirc :) everything is broken

  682. Link Mauve

    The web especially.

  683. jonas’

    https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md#attacks

  684. jonas’

    plenty of good stuff in there

  685. Zash

    jonas’, do the compromise I did on prosody.im, only do HTTP/2 over IPv6

  686. kokonoe has joined

  687. zach has left

  688. zach has joined

  689. Steve Kille has joined

  690. Link Mauve

    jonas’, do you have something setup for i18n for muclumbus yet?

  691. mukt2 has joined

  692. jonas’

    Link Mauve, not really

  693. Alex has left

  694. Alex has joined

  695. mukt2 has left

  696. debacle has left

  697. waqas has joined

  698. waqas has left

  699. APach has joined

  700. Syndace has left

  701. zach has left

  702. zach has joined

  703. aj has left

  704. Nekit has left

  705. mukt2 has joined

  706. APach has left

  707. zach has left

  708. zach has joined

  709. debacle has joined

  710. marc_ has left

  711. mukt2 has left

  712. emus has left

  713. emus has joined

  714. zach has left

  715. zach has joined

  716. mukt2 has joined

  717. Tobias has left

  718. Syndace has joined

  719. Yagiza has left

  720. stpeter has left

  721. peter has left

  722. kokonoe has left

  723. jubalh has joined

  724. zach has left

  725. zach has joined

  726. Tobias has joined

  727. mukt2 has left

  728. stpeter has joined

  729. peter has joined

  730. peter has left

  731. pdurbin has joined

  732. winfried has left

  733. winfried has joined

  734. goffi has joined

  735. zach has left

  736. zach has joined

  737. stpeter has left

  738. pdurbin has left

  739. Wojtek has joined

  740. Yagiza has joined

  741. matkor has left

  742. matkor has joined

  743. j.r has left

  744. j.r has joined

  745. zach has left

  746. zach has joined

  747. marc_ has joined

  748. lovetox has joined

  749. j.r has left

  750. j.r has joined

  751. sonny has left

  752. Wojtek has left

  753. Wojtek has joined

  754. sonny has joined

  755. adiaholic has left

  756. gav has left

  757. adiaholic has joined

  758. Kev has joined

  759. Kev has left

  760. Kev has joined

  761. Kev has left

  762. adiaholic has left

  763. remko has left

  764. LNJ has joined

  765. david has left

  766. zach has left

  767. zach has joined

  768. patrick has joined

  769. zach has left

  770. zach has joined

  771. david has joined

  772. Nekit has joined

  773. wurstsalat has left

  774. wurstsalat has joined

  775. flow has left

  776. flow has joined

  777. flow has left

  778. flow has joined

  779. Yagiza has left

  780. pdurbin has joined

  781. pdurbin has left

  782. typikol has joined

  783. typikol has left

  784. LNJ has left

  785. Syndace has left

  786. Syndace has joined

  787. Wojtek has left

  788. jubalh has left

  789. winfried has left

  790. winfried has joined

  791. jubalh has joined

  792. Maranda has left

  793. Maranda has joined

  794. jubalh has left

  795. peter has joined

  796. stpeter has joined

  797. peter has left

  798. zach has left

  799. zach has joined

  800. Nekit has left

  801. stpeter has left

  802. wurstsalat has left

  803. peter has joined

  804. stpeter has joined

  805. neshtaxmpp has left

  806. neshtaxmpp has joined

  807. goffi has left

  808. Daniel has left

  809. lumi has left

  810. zach has left

  811. zach has joined

  812. Daniel has joined

  813. Daniel has left

  814. waqas has joined

  815. APach has joined

  816. waqas has left

  817. peter has left

  818. matkor has left

  819. matkor has joined

  820. waqas has joined

  821. emus has left

  822. andy has left

  823. stpeter has left

  824. Mikaela has left

  825. lovetox has left

  826. stpeter has joined

  827. peter has joined

  828. sonny has left

  829. sonny has joined

  830. zach has left

  831. zach has joined

  832. kokonoe has joined

  833. patrick has left

  834. Daniel has joined

  835. sonny has left

  836. UsL has left

  837. UsL has joined

  838. peter has left

  839. Daniel has left

  840. Daniel has joined

  841. stpeter has left