#indiewebcamp 2013-01-05

2013-01-05 UTC
# 00:07 
aaronpk waves from San Francisco
# 00:10 
aaronpk tantek: yea I'm not sure what he means either
# 00:12 
tantek aaronpk - how long you in town?
# 00:13 
aaronpk leaving Sunday afternoon
# 00:28 
tommorris +1s any protocol-relative URL support.
# 00:28 
tommorris Wikipedia switched over to protocol-relative URLs a while back when they rolled out HTTPS support.
# 00:29 
tommorris very useful if you have the same resources available on both HTTP and HTTPS. something like a CSS stylesheet: <link href="//en.wikipedia.org/.../whatever.css" rel="stylesheet" />
# 00:30 
tommorris will then load using whatever the protocol the HTML document was retrieved with.
# 01:00 
tantek tommorris, what does protocol relative support mean for the relmeauth / indieauth use case however?
# 01:01 
tantek why would you want to enter //tommorris.org/ into a form instead of just tommorris.org and then let http://tommorris.org/ upnegotiate to https://tommorris.org/ if it can.
# 01:01 
tantek ?
# 01:01 
tommorris no, more that if you have a link to <a href="//twitter.com/t" rel="me">Twitter</a> on tantek.com, it should be able to handle that
# 01:02 
tantek ah ok that would make sense
# 01:02 
tantek I mean, sort of?
# 01:02 
tantek Like in what case does a provider's http(s) usage depend on the indieweb site it's linked from?
# 01:03 
tantek (context, this is the tweet https://twitter.com/robodynamo/status/286222254939979777 )
# 01:03 
@robodynamo .@t Boo :/ RelMeAuth implementations (http://t.co/Wt1x72vP, https://t.co/VIZJCwUs) don't seem to accept protocol-relative URLs #indieweb
# 01:03 
tantek so for Twitter, why not always link to "https://twitter.com/t"
# 01:03 
tommorris I believe Twitter now require HTTPS
# 01:03 
tantek right
# 01:03 
tantek regardless of what site the link is on
# 01:04 
tommorris well, some people may just have an aesthetic preference for protocol-relative URLs or just like to not have to type the https: or http:
# 01:04 
tommorris or there might be a publishing platform that specifically converts things to protocol-relative
# 01:04 
tantek but isn't that bad? I mean, if you know your provider supports https, isn't it *better* if you're explicit about the https?
# 01:04 
tommorris sure
# 01:04 
tantek ok, theoretical publishing platform. when someone shows an example of this perhaps we can fix it (whereever makes sense)
# 01:05 
tantek peronally I think protocol relative URLs to providers is a *bad idea* and instead you should be explicit about the https when you know they support it.
# 01:05 
tommorris I think generally, Postel's law should probably apply here. ;-)
# 01:06 
tantek I don't think so. This is security related and thus the sooner an error helps you find a problem in your set-up, the better.
# 01:06 
tantek squeaky wheel and all that
# 01:06 
tommorris I'm not sure how cross-domain protocol-relative URIs work.
# 01:06 
tantek well that's the only point AFAIK
# 01:06 
tantek because if it's not cross-domain, then you just use a path-relative URI
# 01:07 
tantek starting with "/"
# 01:07 
tantek instead of "//"
# 01:07 
tommorris well, I know part of the reason we have it at wikipedia is if you login to, say, wikipedia, a cookie is set for letting you login to all the other sister sites
# 01:19 
tantek but that's different, the TLD is still the same
# 01:19 
tantek cookies don't work cross TLDs anyway
# 01:21 
tommorris well, it's more that you'd go to https://en.wikipedia.org/, it'd set a cookie for all the HTTPS wikimedia sites, and then you'd be shot off to http://en.wikinews.org and your HTTPS cookies wouldn't work.
# 01:23 
tantek huh
# 01:24 
tantek I guess I'm having trouble understanding how that affects the RelMeAuth / IndieAuth flow
# 01:24 
tommorris it'd be something to check with other URI-based authentication things
# 01:25 
tommorris it'd probably be sensible to check how OpenID do it and steal that. ;-)
# 01:26 
tommorris I mean, if I put <link href="//tommorris.myopenid.com" … in the head of a page, what that ends up doing.
# 01:27 
tantek ok see this is where I'd say that's a *BUG* from a security perspective
# 01:27 
tantek and SHOULD (maybe even MUST) be rejected
# 01:27 
tantek with an error
# 01:27 
tantek indicating to the user that they should change it to:
# 01:28 
tantek <link href="https://tommorris.myopenid.com"
# 01:28 
tantek explicitly
# 01:28 
tantek You're stating a *counter* use-case (a reason for *requiring* explicit https), not a use-case.
# 01:28 
tantek (for protocol relative)
# 01:30 
tommorris so, according to OpenID2 spec, an OpenID endpoint "MUST be an absolute HTTP or HTTPS URL."
# 01:33 
tommorris I'd say there is a compelling case for requiring OpenID providers to be HTTPS only. ;-)
# 01:34 
tommorris should probably practice what he preaches and sort out HTTPS for tommorris.org ;-)
# 01:42 
tantek tommorris - indieweb HTTPS is certainly a challenge, with all the things you have to get right etc.
# 01:42 
tantek please take notes as you sort it out
tantek, danbri, brennannovak, wajiii-afk, danbri__, danbri___, friedcell, barnabywalters, josephboyle, zztr and melvster1 joined the channel
# 22:37 
melvster1 hello #indieweb
# 22:38 
melvster1 i just added secure encrypted chat to my homepage ... anyone interested in testing it out?