XSF Discussion - 2019-09-18

  1. zach has left
  2. zach has joined
  3. stpeter has joined
  4. peter has joined
  5. UsL has left
  6. matkor has joined
  7. murabito has left
  8. murabito has joined
  9. UsL has joined
  10. debacle has left
  11. peter has left
  12. jos1264 has joined
  13. kokonoe has left
  14. pdurbin has joined
  15. jos1264 has left
  16. jos1264 has joined
  17. kokonoe has joined
  18. jos1264 has left
  19. mr.fister has left
  20. aj has joined
  21. aj has left
  22. stpeter has left
  23. pdurbin has left
  24. UsL has left
  25. Douglas Terabyte has left
  26. UsL has joined
  27. peter has joined
  28. stpeter has joined
  29. winfried has left
  30. winfried has joined
  31. winfried has left
  32. winfried has joined
  33. matkor has left
  34. matkor has joined
  35. mukt2 has joined
  36. winfried has left
  37. winfried has joined
  38. winfried has left
  39. winfried has joined
  40. mukt2 has left
  41. lskdjf has left
  42. pdurbin has joined
  43. UsL has left
  44. kokonoe has left
  45. UsL has joined
  46. neshtaxmpp has left
  47. neshtaxmpp has joined
  48. Chobbes has left
  49. jabberjocke has joined
  50. peter has left
  51. stpeter has left
  52. zach has left
  53. zach has joined
  54. mukt2 has joined
  55. Yagiza has joined
  56. pdurbin has left
  57. mukt2 has left
  58. andy has left
  59. mukt2 has joined
  60. andy has joined
  61. zach has left
  62. zach has joined
  63. waqas has joined
  64. Douglas Terabyte has joined
  65. mukt2 has left
  66. mukt2 has joined
  67. zach has left
  68. zach has joined
  69. mukt2 has left
  70. Nekit has joined
  71. lumi has joined
  72. mukt2 has joined
  73. Tobias has joined
  74. LNJ has joined
  75. zach has left
  76. zach has joined
  77. Daniel has left
  78. Daniel has joined
  79. mukt2 has left
  80. pdurbin has joined
  81. mukt2 has joined
  82. emus has joined
  83. pdurbin has left
  84. lumi has left
  85. zach has left
  86. zach has joined
  87. karoshi has joined
  88. mukt2 has left
  89. matkor has left
  90. mukt2 has joined
  91. matkor has joined
  92. murabito has left
  93. murabito has joined
  94. zach has left
  95. zach has joined
  96. murabito has left
  97. murabito has joined
  98. waqas has left
  99. jabberjocke has left
  100. jabberjocke has joined
  101. kokonoe has joined
  102. jubalh has joined
  103. kokonoe has left
  104. kokonoe has joined
  105. zach has left
  106. zach has joined
  107. pdurbin has joined
  108. pdurbin has left
  109. j.r has left
  110. kokonoe has left
  111. adiaholic has left
  112. adiaholic has joined
  113. zach has left
  114. zach has joined
  115. kokonoe has joined
  116. gav has joined
  117. kokonoe has left
  118. david has left
  119. mukt2 has left
  120. mukt2 has joined
  121. kokonoe has joined
  122. LNJ has left
  123. jabberjocke has left
  124. jabberjocke has joined
  125. kokonoe has left
  126. adiaholic has left
  127. Alex has left
  128. zach has left
  129. zach has joined
  130. mukt2 has left
  131. Alex has joined
  132. mukt2 has joined
  133. Mikaela has joined
  134. j.r has joined
  135. lovetox_ has joined
  136. COM8 has joined
  137. debacle has joined
  138. zach has left
  139. zach has joined
  140. Steve Kille has left
  141. wurstsalat has joined
  142. jonas’ Daniel, fixed the 500
  143. Steve Kille has joined
  144. Daniel jonas’, thanks. i'm getting a 400 when trying to search
  145. jonas’ Daniel, can you extract the error?
  146. jonas’ because search works for me via curl
  147. jonas’ and in the web ui via browser
  148. jonas’ Daniel, the search API returns a JSON on 400, with a single "error" key
  149. j.r has left
  150. Daniel it says key keywords is required. but i'm 80% i'm setting that. also i haven’t changed the code since it was last working
  151. adiaholic has joined
  152. matkor has left
  153. matkor has joined
  154. LNJ has joined
  155. jonas’ Daniel, I’m not sure how that error can be caused except if "keywords" is actually missing
  156. jonas’ I haven’t touched that code since it was last working either, and it works fine locally with curl
  157. jonas’ $ curl -s \ --data '{"keywords": ["xsf"]}' \ -H 'Content-Type: application/json; charset=utf-8' \ https://search.jabbercat.org/api/1.0/search | jq -C .
  158. jonas’ lovetox_, > jonas the black banner looks a bit boring I agree, do you have ideas on how to fix that? :)
  159. zach has left
  160. zach has joined
  161. lovetox_ no i hate webdesign
  162. jonas’ lovetox_, let me rephrase: If you have a visual idea, I may be able to put it in css/httml :)
  163. jonas’ lovetox_, let me rephrase: If you have a visual idea, I may be able to put it in css/html :)
  164. Ge0rG *cough* https://github.com/horazont/muchopper/issues/15 *cough*
  165. adiaholic has left
  166. pep. Ge0rG: I'd make that search button same height as the input field
  167. jonas’ Ge0rG, I think it might be easy to overlook when integrated in the banner
  168. Ge0rG jonas’: that's possible.
  169. Ge0rG OTOH, havig two search boxes is slight overkill
  170. jonas’ but only slight!
  171. COM8 has left
  172. Ge0rG most of the vertical space is taken up by meta.
  173. jonas’ the copy to clipboard will be the first piece of JS on that page, Ge0rG, I hope you feel guilty.
  174. jonas’ the copy to clipboard will be the first piece of JS on the room list page, Ge0rG, I hope you feel guilty.
  175. Daniel jonas’, ok never mind. classic heisenbug. if i log the query beforing sending it it works
  176. Daniel so it's not you
  177. Ge0rG https://upload.yax.im/upload/kmJi9wW3ylSzcV0P/Screenshot_20190918-100107_Firefox.jpg
  178. zach has left
  179. zach has joined
  180. remko has joined
  181. Ge0rG I wanted to paste that screenshot earlier, but yaxim was crashing due to my incorrect use of some StringUtils API
  182. lovetox_ jonas’ how to whiteliste an avatar?
  183. jonas’ lovetox_, ask me
  184. jonas’ it’s documented in the For Owners documentation section
  185. pdurbin has joined
  186. lovetox_ ok thanks i see you already whitelisted gajim
  187. jonas’ lovetox_, I had it whitelisted yesterday on launch already, it just took the bot a while to re-scan the gajim muc :)
  188. Ge0rG damn, so now I need to load the prosody module after all.
  189. Ge0rG And also set the ~horny pe~ yak logo
  190. Ge0rG jonas’: great work!
  191. jonas’ Ge0rG, reload the page
  192. jonas’ and hover over an entry
  193. lovetox_ link styling looks a bit weird
  194. Ge0rG jonas’: nothing happens?
  195. lovetox_ i would remove these dots
  196. Ge0rG "hover" is not an option on mobile, but then you should probably have a handler for xmpp: there
  197. jonas’ Ge0rG, yeah, that was my line of thought
  198. COM8 has joined
  199. jonas’ oh, I forgot to confirm the pull on the live instance. Ge0rG retry
  200. matkor has left
  201. Ge0rG jonas’: awesome! I'd just add a space before the clipboard character.
  202. mukt2 has left
  203. jonas’ there is a space there?
  204. jonas’ maybe hard-reload your things
  205. jonas’ (it’s a margin-left: 0.5em)
  206. lovetox_ would it not be better to copy the xmpp:xx?join link?
  207. jonas’ lovetox_, you can right-click -> copy link address for that one
  208. winfried has left
  209. Ge0rG lovetox_: no
  210. winfried has joined
  211. Ge0rG jonas’: ah, I had some intermediate version
  212. Ge0rG jonas’: after clicking the clipboard, it remains visible and marked until you click somewhere
  213. jonas’ intentional
  214. jonas’ to a certain extent
  215. jonas’ I want it to be visible while focused so that it can be reached and used with tab
  216. jonas’ that’s the price to pay for that, I guess
  217. Ge0rG so what do I need on prosody 0.11 for MUC avatars?
  218. j.r has joined
  219. jonas’ Ge0rG, also, reload and retry that click thing
  220. larma has left
  221. Zash Ge0rG: There's a community module of course.
  222. Ge0rG lovetox_: http://paste.debian.net/1101390/ :(
  223. Zash Tho technically possible to only use the included mod_vcard, but then it's read-only and you'd have to manually add the data.
  224. Ge0rG jonas’: much better now
  225. Ge0rG Zash: | /usr/lib/prosody/modules/mod_a community module.lua: No such file or directory
  226. lovetox_ yeah Ge0rG i really dont have a solution for that yet
  227. lovetox_ i want to parse validate jids in the xmpp lib
  228. lovetox_ but on encountering invalid ones, im not sure what to do
  229. Ge0rG lovetox_: don't crash the xml stream.
  230. jonas’ Ge0rG, wanna tell me what you want to have whitelisted?
  231. wurstsalat has left
  232. Ge0rG jonas’: chat.yax.im
  233. wurstsalat has joined
  234. jonas’ no
  235. jonas’ yaxim@chat.yax.im?
  236. Ge0rG jonas’: the first four of https://search.jabbercat.org/search?q=chat.yax.im
  237. Ge0rG maybe also test@chat.yax.im - if you dare
  238. lovetox_ yeah Ge0rG but thats not so easy, on the other side, server should not send messages from invalid jids
  239. lovetox_ 🙂
  240. jonas’ the new copy button is super-convenient! :)
  241. larma has joined
  242. jonas’ the new copy button is super-convenient for building the white-list! :)
  243. pdurbin has left
  244. Ge0rG lovetox_: 🤖 will disagree with you.
  245. jonas’ https://search.jabbercat.org/search?q=xmpp-de the second hit is amusing
  246. COM8 has left
  247. Ge0rG lovetox_: from the stacktrace it seems that it's a JID in my roster, ♥@ツ.op-co.de - so that Gajim will never properly connect to my account again
  248. lovetox_ are you saying this is a valid localpart?
  249. COM8 has joined
  250. matkor has joined
  251. lovetox_ dont think its the roster to be honest, its a stanza where the from attr has a invalid jid
  252. lovetox_ roster pushes are from your server, not from contacts
  253. j.r has left
  254. Ge0rG Maybe it's presence unavailable then?
  255. lovetox_ maybe, i will fix that later if i have time
  256. Ge0rG lovetox_: I'm not saying that it's a valid JID (I don't know), but I'm saying that it's accepted by my server, and thus shouldn't crash my client.
  257. lovetox_ but server should really get going with precis
  258. Ge0rG Because it's a cheap DoS otherwise.
  259. Ge0rG lovetox_: we've had that recently. It should be enforced by the server that's authoritative for the JID.
  260. lovetox_ thats not an argument, rfc says jids MUST be validated by server
  261. Ge0rG If it doesn't, you are rather out of luck
  262. j.r has joined
  263. Ge0rG lovetox_: okay, but there are different unicode versions and different xmpp versions. And now everybody can crash your client by sending something from an illegal JID
  264. zach has left
  265. zach has joined
  266. lovetox_ this local part was allowed once? they really updated the rfc so that already existing accounts got invalid?
  267. Ge0rG Where "illegal" depends on your python version, your server version and the position of the moon.
  268. lovetox_ sounds weird
  269. Ge0rG NodePrep and PRECIS aren't an exact match, so you are guaranteed to end up with illegal JIDs _somewhere_
  270. lovetox_ yeah, i will try to fix that 🙂
  271. Zash It's likely that U2665 is undefined in Unicode 3.2 which NodePrep uses.
  272. Zash libidn defaults to allowing undefined characters, and thus Prosody does too.
  273. lovetox_ Ge0rG keep that jid, when i have a fix then you can test if its working 🙂
  274. Ge0rG lovetox_: feel free to add it to your roster
  275. lovetox_ would need a client that allows that, Gajim does not 😃
  276. jonas’ lovetox_, https://mailarchive.ietf.org/arch/msg/xmpp/a-WhzOTyOq168GujQHgzQ1-DURI for an idea of how deep the mess is we’re in
  277. Ge0rG &
  278. lovetox_ no i write a test for the xmpp lib 🙂
  279. lumi has joined
  280. murabito has left
  281. murabito has joined
  282. j.r has left
  283. lovetox_ genius all undefined characters are allowed 😃
  284. j.r has joined
  285. debacle has left
  286. COM8 has left
  287. mukt2 has joined
  288. jubalh has left
  289. murabito has left
  290. murabito has joined
  291. jubalh has joined
  292. Mikaela has left
  293. Mikaela has joined
  294. mukt2 has left
  295. neshtaxmpp has left
  296. neshtaxmpp has joined
  297. mukt2 has joined
  298. j.r has left
  299. j.r has joined
  300. flow lovetox_, not by the relevant PRECIS profile. I would suggest to remove the faulty stanza from the stream as first course of action
  301. pdurbin has joined
  302. jubalh has left
  303. adiaholic has joined
  304. debacle has joined
  305. adiaholic has left
  306. adiaholic has joined
  307. j.r has left
  308. j.r has joined
  309. jubalh has joined
  310. neshtaxmpp has left
  311. neshtaxmpp has joined
  312. neshtaxmpp has left
  313. neshtaxmpp has joined
  314. winfried has left
  315. winfried has joined
  316. pdurbin has left
  317. jubalh has left
  318. winfried has left
  319. winfried has joined
  320. mukt2 has left
  321. murabito has left
  322. murabito has joined
  323. zach has left
  324. zach has joined
  325. lskdjf has joined
  326. lovetox_ has left
  327. lovetox_ has joined
  328. lovetox_ has left
  329. lovetox_ has joined
  330. kokonoe has joined
  331. mukt2 has joined
  332. kokonoe has left
  333. murabito has left
  334. murabito has joined
  335. kokonoe has joined
  336. jubalh has joined
  337. Chobbes has joined
  338. kokonoe has left
  339. kokonoe has joined
  340. murabito has left
  341. murabito has joined
  342. Chobbes has left
  343. Chobbes has joined
  344. Chobbes has left
  345. Chobbes has joined
  346. kokonoe has left
  347. LNJ has left
  348. pep. https://github.com/xsf/xeps/pull/827 is this some kind of joke? :x
  349. sonny yes, sorry I couldn't resist
  350. Zash pep.: Read the rest of the XEP
  351. zach has left
  352. zach has joined
  353. pep. Zash: I know the xep, I implement it in my rot13 and b64 plugins for poezio.
  354. jubalh has left
  355. murabito has left
  356. murabito has joined
  357. adiaholic has left
  358. adiaholic has joined
  359. Chobbes has left
  360. sonny and it still wasn't clear my comment was a joke? I should be more careful 🙂
  361. lovetox_ has left
  362. COM8 has joined
  363. murabito has left
  364. murabito has joined
  365. krauq has left
  366. krauq has joined
  367. COM8 has left
  368. COM8 has joined
  369. COM8 has left
  370. COM8 has joined
  371. Chobbes has joined
  372. kokonoe has joined
  373. krauq has left
  374. krauq has joined
  375. murabito has left
  376. marc_ has left
  377. murabito has joined
  378. mukt2 has left
  379. marc_ has joined
  380. mukt2 has joined
  381. Chobbes has left
  382. COM8 has left
  383. COM8 has joined
  384. COM8 has left
  385. zach has left
  386. zach has joined
  387. marc_ has left
  388. murabito has left
  389. murabito has joined
  390. LNJ has joined
  391. j.r has left
  392. COM8 has joined
  393. jubalh has joined
  394. COM8 has left
  395. j.r has joined
  396. Kev has joined
  397. murabito has left
  398. murabito has joined
  399. zach has left
  400. zach has joined
  401. Chobbes has joined
  402. Kev has left
  403. murabito has left
  404. murabito has joined
  405. murabito has left
  406. murabito has joined
  407. jubalh has left
  408. zach has left
  409. zach has joined
  410. j.r has left
  411. COM8 has joined
  412. COM8 has left
  413. COM8 has joined
  414. COM8 has left
  415. jubalh has joined
  416. murabito has left
  417. murabito has joined
  418. Chobbes has left
  419. COM8 has joined
  420. COM8 has left
  421. j.r has joined
  422. jubalh has left
  423. COM8 has joined
  424. murabito has left
  425. murabito has joined
  426. COM8 has left
  427. zach has left
  428. zach has joined
  429. jubalh has joined
  430. murabito has left
  431. murabito has joined
  432. COM8 has joined
  433. marc_ has joined
  434. COM8 has left
  435. kokonoe has left
  436. COM8 has joined
  437. COM8 has left
  438. zach has left
  439. zach has joined
  440. mukt2 has left
  441. mukt2 has joined
  442. emus has left
  443. COM8 has joined
  444. kokonoe has joined
  445. COM8 has left
  446. emus has joined
  447. j.r has left
  448. mukt2 has left
  449. kokonoe has left
  450. murabito has left
  451. murabito has joined
  452. mukt2 has joined
  453. zach has left
  454. zach has joined
  455. COM8 has joined
  456. j.r has joined
  457. COM8 has left
  458. pdurbin has joined
  459. pdurbin has left
  460. mukt2 has left
  461. COM8 has joined
  462. j.r has left
  463. COM8 has left
  464. LNJ has left
  465. Chobbes has joined
  466. COM8 has joined
  467. COM8 has left
  468. j.r has joined
  469. zach has left
  470. zach has joined
  471. mukt2 has joined
  472. COM8 has joined
  473. COM8 has left
  474. stpeter has joined
  475. peter has joined
  476. Chobbes has left
  477. COM8 has joined
  478. zach has left
  479. zach has joined
  480. david has joined
  481. COM8 has left
  482. waqas has joined
  483. Link Mauve “07:45:33 flow> Link Mauve, that C&C Renegage remake?”, yes, they are using XMPP for their lobby thing now.
  484. Link Mauve Not for the actual game (yet?).
  485. Link Mauve “18:47:16 Zash> Are there clients that still fail if you stop advertising <session/>?”, IIRC libpurple did.
  486. zach has left
  487. zach has joined
  488. Link Mauve That’s second-hand experience from IIRC Maranda.
  489. jonas’ excellent, so if we ever want to move past pidgin, that’s how.
  490. Zash Confirmed. "Error initializing session" it says.
  491. Zash It's sending the session thing even if it's not advertised.
  492. MattJ When we added <optional> there were definitely other clients that failed too
  493. MattJ I think one was Psi/Gajim, and probably some other that is extinct these days
  494. MattJ and clients couldn't just drop it, because ejabberd had weird behaviour if you didn't do it
  495. MattJ even though it is, and always was, a no-op in Prosody
  496. jonas’ yeah, weeiiiird behaviour
  497. MattJ iirc it would let you log in, but timeout your session after some time
  498. MattJ even though you were using it fine
  499. jonas’ I’m pretty sure I was unable to send stanzas
  500. jonas’ otherwise I would probably not have noticed when developing aioxmpp
  501. wojtek has joined
  502. jonas’ unfortunately, that was back in 2015 where I wasn’t as good at commit message writing as I’m now, so the error behaviour is lost in history
  503. Daniel i vaguely remembering not being able to send and receive message or something
  504. Daniel more than a subtle 'will log you out at some point'
  505. mukt2 has left
  506. Link Mauve jonas’, could you also whitelist SVGs from chat.jabberfr.org on muclumbus?
  507. jonas’ Link Mauve, SVGs are not supported
  508. jonas’ Link Mauve, and I generally only white-list single rooms where I trust the owners or domains where only admins can create rooms (and I trust the admins to a certain extent)
  509. Ge0rG jonas’: but then again, you trust *me*
  510. mukt2 has joined
  511. Daniel jonas’: are the avatars going to be exposed over the api as well?
  512. Holger MattJ, Daniel, jonas': FWIW yes back then you got no error from ejabberd when sending random stanzas while it was waiting for `<session/>`, but you'd neither be able to send nor receive anything. You also shouldn't time out though as long as you do send random crap :-)
  513. zach has left
  514. zach has joined
  515. mukt2 has left
  516. Link Mauve jonas’, why do you limit it to ¬SVG?
  517. mukt2 has joined
  518. Link Mauve jonas’, once you start supporting SVG, you can whitelist the first 12 entries here: https://search.jabbercat.org/search?q=chat.jabberfr.org
  519. Link Mauve And also the first four here: https://search.jabbercat.org/search?q=chat.khaganat.net
  520. wojtek has left
  521. Zash Hm, why don't we have 157 for individual rooms?
  522. Ge0rG Why don't we have 157 for individual users?
  523. adiaholic has left
  524. adiaholic has joined
  525. aj has joined
  526. mukt2 has left
  527. waqas has left
  528. jonas’ Link Mauve, I limit it to PNG and JPEG to be precise
  529. Link Mauve Any reason for that?
  530. jonas’ Link Mauve, rescaling
  531. MattJ I heard SVG has trouble with that
  532. Link Mauve It’s free to do in the browser with SVG.
  533. jonas’ and embedding SVG would require a separate domain to prevent any funny javascript attacks in SVG
  534. jonas’ or at least a CSP
  535. Link Mauve jonas’, use <img/> instead of embedding it.
  536. jonas’ all things I don’t know about
  537. jonas’ Link Mauve, will that stop it from executing scripts?
  538. Link Mauve Yes.
  539. jonas’ are you sure? if so, why?
  540. Link Mauve Yes I am; because images are expected since about forever to not contain scripts.
  541. jonas’ yeah well, I expect the web to be sane since forever and it isn’t
  542. Link Mauve And browsers would be very cautious to not open such a huge hole that can even do cross-site things.
  543. zach has left
  544. zach has joined
  545. jonas’ they have traditionally done that, I don’t trust browsers
  546. moparisthebest I was fairly confident SVGs even with image could execute javascript
  547. Link Mauve For instance example.org has an <img src="https://evil.com/image.png"> on some page, now evil.com starts serving a SVG containing a script at this URL.
  548. jonas’ Link Mauve, am I still safe when I use the SVG as background-image?
  549. Link Mauve jonas’, yes, it also is in an image context.
  550. Link Mauve moparisthebest, do you have a link to an attack description?
  551. Link Mauve jonas’, what isn’t would be to use <object/> or <embed/> or <iframe/>.
  552. MattJ jonas’, https://www.w3.org/wiki/SVG_Security
  553. jonas’ MattJ, thanks
  554. moparisthebest yea if browsers actually implement it like that it should be safe, neat
  555. Seve >For instance example.org has an <img src="https://evil.com/image.png"> on some page, now evil.com starts serving a SVG containing a script at this URL. Haven't you said earlier to use <img/>?
  556. Link Mauve Seve, yes.
  557. Seve Ah you mean nothing would happen if that is the case
  558. Link Mauve Yes, this story is about as obvious as it could be, and the reason why browsers took so long to accept SVG in image contexts.
  559. moparisthebest jonas’ is still right though in that if someone links to https://somedomain.com/evil.svg that'll still execute javascript and be able to steal cookies and XSS from somedomain.com, so if you allow SVG uploads, you need different domain or CSP or similar
  560. MattJ Right-click->View Image
  561. Link Mauve Or a data: URI.
  562. Link Mauve Or a Blob.
  563. Link Mauve Or any of the various mechanisms that aren’t tied to the domain.
  564. Link Mauve (CSP is very good.)
  565. j.r has left
  566. j.r has joined
  567. adiaholic has left
  568. jonas’ moparisthebest, thanks, good point
  569. jonas’ a CSP it is
  570. jonas’ the sane thing would be to disable all csript things for the avatar endpoint?
  571. adiaholic has joined
  572. Link Mauve Probably also all external CSS.
  573. jonas’ everything
  574. jonas’ how do I do that?
  575. Ge0rG Just burn the web. With napalm
  576. Link Mauve At JabberFR, for our HTTP File Upload domain, we use: Content-Security-Policy: frame-ancestors 'none'; default-src 'none'; img-src 'self'; media-src 'self'; report-uri /report-csp-violation
  577. Link Mauve I should add style-src 'self'.
  578. Ge0rG Link Mauve: do you have a csp violation listener at /?
  579. j.r has left
  580. j.r has joined
  581. Zash ``` ~$ ssh snikket2 ~$ more /etc/nginx/snippets/csp-strict.conf add_header Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self'"; ```
  582. Link Mauve Ge0rG, yes.
  583. Link Mauve For every domain.
  584. moparisthebest for a site like yours jonas’ I'd probably just disable everything with CSP, then enable as you need
  585. jonas’ yeah
  586. Link Mauve That’s default-src 'none'.
  587. Ge0rG Link Mauve: what's the implementation you are using?
  588. Ge0rG is asking for a friend
  589. jubalh has left
  590. jonas’ default-src 'none'; seems to still allow SVG to be rendered
  591. Link Mauve Ge0rG, the one which uses a ton of memory.
  592. Zash It's funny when you disable the CSS in SVG.
  593. Ge0rG Link Mauve: ejabberd?
  594. Link Mauve Zash, yes, which is why you should also have style-src 'unsafe-inline'.
  595. Link Mauve Ge0rG, ah no, Prosody.
  596. Link Mauve With the mod_http_upload community module.
  597. Ge0rG Link Mauve: prosody is a csp violation reporting tool?
  598. jonas’ Link Mauve, > frame-ancestors 'none'; default-src 'none'; style-src 'unsafe-inline';
  599. jonas’ does that sound good?
  600. Link Mauve jonas’, sounds nice yeah.
  601. Link Mauve You may want to add a listener so that you know what your users are being prevented from fetching, at least for a short while.
  602. jonas’ ... nah :)
  603. jonas’ I only set it on the avatar endpoint
  604. jonas’ people will complain when their avatars aren’t working
  605. Link Mauve Ge0rG, ah no, I’m using one which sends them to my JID.
  606. Link Mauve Let me figure it out.
  607. Link Mauve pep., do you remember where I put it?
  608. mukt2 has joined
  609. adiaholic has left
  610. jonas’ Link Mauve, https://search.jabbercat.org/search?q=jabberfr
  611. jonas’ the others will be updated when the scanner gets to them
  612. Link Mauve \o/
  613. Link Mauve I should add the new muc#roominfo_webchat_url thing we are going to accept shortly. ^^
  614. Link Mauve Since we also have that.
  615. Link Mauve https://chat.jabberfr.org/ could use an emoji instead of a SVG now, for the join bubble.
  616. jonas’ indeed
  617. jonas’ thinking of directly embedding small avatars as data URLs for faster loading
  618. jonas’ thinking of directly embedding small avatars as data URIs for faster loading
  619. winfried has left
  620. winfried has joined
  621. jonas’ not sure how to write the query so that it only fetches the avatar from the database for the result list if it’s small enough
  622. zach has left
  623. zach has joined
  624. Link Mauve Indeed, on just chat.jabberfr.org it takes about 700ms for me to download every SVG.
  625. jonas’ to the SQL console!
  626. jonas’ ugh, the only standard-SQL-way of doing it might be with a self-join
  627. jonas’ hm, however, doing that would break caching
  628. moparisthebest another column that's only non-null if small enough? :/
  629. jonas’ in postgres, I can do: select mime_type, case when length(data) < 16384 then data else null end from avatar;
  630. jonas’ but locally I’m testing with sqlite, soo....
  631. adiaholic has joined
  632. jonas’ oh, sqlite also has case
  633. moparisthebest was going to say I feel like that should work in sqlite
  634. jonas’ and sqlalchemy supports it, too
  635. jonas’ now the question is, does it even make sense to embed the avatars?
  636. jonas’ right now, we send a 304 for avatars if they’re still cached on the client
  637. jonas’ we can’t do that for the result page
  638. jonas’ so we’d send all avatars of a page to the client, inefficiently base64-encoded
  639. jonas’ every time, since they can’t benefit from caching
  640. moparisthebest you'd probably get more benefit from supporting http/2
  641. adiaholic has left
  642. adiaholic has joined
  643. jonas’ tell that to apache
  644. moparisthebest because then browser could request all the images over one connection at the same time etc
  645. moparisthebest apache surely supports http/2 by now?
  646. jonas’ dunno
  647. jonas’ if it isn’t on by default, I don’t bother
  648. Link Mauve moparisthebest, they already can with HTTP/1.1.
  649. moparisthebest not in parallel though?
  650. jonas’ SVG support brought a few new avatars to the listing
  651. jonas’ HTTP/2 seems to be a clusterfuck regarding the parallelism anyways. no idea why they thought it’d be a good idea to re-implement multiplexing which we alreday have with TCP
  652. Zash jonas’, itym SCTP
  653. Link Mauve moparisthebest, how does HTTP/2 do that?
  654. moparisthebest maybe, I mean http/3 is coming, but regardless it's still way faster for browsers
  655. jonas’ or that
  656. Zash But we can't have SCTP because broken middleboxes
  657. Zash And NAT, and all the other things that ruin all nice things
  658. Zash Is MPTCP still alive?
  659. moparisthebest Link Mauve, like jonas’ said they reinvented multiplexing etc etc
  660. Link Mauve So instead we have WebRTC, which is like SCTP over RTP.
  661. Link Mauve moparisthebest, but in parallel you mean over multiple TCP connections, or…?
  662. moparisthebest http/3 over quic sounds pretty sweet though
  663. moparisthebest no just one
  664. mukt2 has left
  665. winfried has left
  666. Steve Kille has left
  667. winfried has joined
  668. moparisthebest it's probably just a config option to enable http2 jonas’ you should look at it
  669. Link Mauve moparisthebest, what is the difference between that and HTTP/1.1 pipelining then?
  670. moparisthebest I assume it's new enough because you support TLS 1.3 :) https://www.ssllabs.com/ssltest/analyze.html?d=search.jabbercat.org&s=2a01%3a4f9%3a2b%3a2c50%3a1010%3a1010%3a0%3a1&latest
  671. jonas’ Link Mauve, HTTP/2 introduces its own framing on top of TCP
  672. jonas’ so you’d be requesting resources A B C, and then receive chunks A1 B1 C1 A2 B2 C2 ...
  673. jonas’ also the server may push you resources of which it expects you to need some
  674. moparisthebest https://stackoverflow.com/questions/34478967/what-is-the-difference-between-http-1-1-pipelining-and-http-2-multiplexing I guess, plenty of different search results
  675. Link Mauve jonas’, oh, I see.
  676. moparisthebest bottom line is, it's far far faster, so turn it on
  677. jonas’ it’s also much more broken
  678. jonas’ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
  679. moparisthebest than ?
  680. jonas’ I’m going to wait until the HTTP/2 implementations settle down before deploying that and having yet another headache to deal with
  681. moparisthebest http 1.1 pipelining is pretty broken too iirc :) everything is broken
  682. Link Mauve The web especially.
  683. jonas’ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md#attacks
  684. jonas’ plenty of good stuff in there
  685. Zash jonas’, do the compromise I did on prosody.im, only do HTTP/2 over IPv6
  686. kokonoe has joined
  687. zach has left
  688. zach has joined
  689. Steve Kille has joined
  690. Link Mauve jonas’, do you have something setup for i18n for muclumbus yet?
  691. mukt2 has joined
  692. jonas’ Link Mauve, not really
  693. Alex has left
  694. Alex has joined
  695. mukt2 has left
  696. debacle has left
  697. waqas has joined
  698. waqas has left
  699. APach has joined
  700. Syndace has left
  701. zach has left
  702. zach has joined
  703. aj has left
  704. Nekit has left
  705. mukt2 has joined
  706. APach has left
  707. zach has left
  708. zach has joined
  709. debacle has joined
  710. marc_ has left
  711. mukt2 has left
  712. emus has left
  713. emus has joined
  714. zach has left
  715. zach has joined
  716. mukt2 has joined
  717. Tobias has left
  718. Syndace has joined
  719. Yagiza has left
  720. stpeter has left
  721. peter has left
  722. kokonoe has left
  723. jubalh has joined
  724. zach has left
  725. zach has joined
  726. Tobias has joined
  727. mukt2 has left
  728. stpeter has joined
  729. peter has joined
  730. peter has left
  731. pdurbin has joined
  732. winfried has left
  733. winfried has joined
  734. goffi has joined
  735. zach has left
  736. zach has joined
  737. stpeter has left
  738. pdurbin has left
  739. Wojtek has joined
  740. Yagiza has joined
  741. matkor has left
  742. matkor has joined
  743. j.r has left
  744. j.r has joined
  745. zach has left
  746. zach has joined
  747. marc_ has joined
  748. lovetox has joined
  749. j.r has left
  750. j.r has joined
  751. sonny has left
  752. Wojtek has left
  753. Wojtek has joined
  754. sonny has joined
  755. adiaholic has left
  756. gav has left
  757. adiaholic has joined
  758. Kev has joined
  759. Kev has left
  760. Kev has joined
  761. Kev has left
  762. adiaholic has left
  763. remko has left
  764. LNJ has joined
  765. david has left
  766. zach has left
  767. zach has joined
  768. patrick has joined
  769. zach has left
  770. zach has joined
  771. david has joined
  772. Nekit has joined
  773. wurstsalat has left
  774. wurstsalat has joined
  775. flow has left
  776. flow has joined
  777. flow has left
  778. flow has joined
  779. Yagiza has left
  780. pdurbin has joined
  781. pdurbin has left
  782. typikol has joined
  783. typikol has left
  784. LNJ has left
  785. Syndace has left
  786. Syndace has joined
  787. Wojtek has left
  788. jubalh has left
  789. winfried has left
  790. winfried has joined
  791. jubalh has joined
  792. Maranda has left
  793. Maranda has joined
  794. jubalh has left
  795. peter has joined
  796. stpeter has joined
  797. peter has left
  798. zach has left
  799. zach has joined
  800. Nekit has left
  801. stpeter has left
  802. wurstsalat has left
  803. peter has joined
  804. stpeter has joined
  805. neshtaxmpp has left
  806. neshtaxmpp has joined
  807. goffi has left
  808. Daniel has left
  809. lumi has left
  810. zach has left
  811. zach has joined
  812. Daniel has joined
  813. Daniel has left
  814. waqas has joined
  815. APach has joined
  816. waqas has left
  817. peter has left
  818. matkor has left
  819. matkor has joined
  820. waqas has joined
  821. emus has left
  822. andy has left
  823. stpeter has left
  824. Mikaela has left
  825. lovetox has left
  826. stpeter has joined
  827. peter has joined
  828. sonny has left
  829. sonny has joined
  830. zach has left
  831. zach has joined
  832. kokonoe has joined
  833. patrick has left
  834. Daniel has joined
  835. sonny has left
  836. UsL has left
  837. UsL has joined
  838. peter has left
  839. Daniel has left
  840. Daniel has joined
  841. stpeter has left