in reply to

A couple weeks ago, sknebel asked whether anyone in the #indieweb channel had a chat widget on their website. I used to have a form you could fill out and it would send me an SMS to my candybar phone, and a little while after that I had a prototype of a chat widget that disappeared somewhere along the way. I thought it would be fun to resurrect that idea!

It was quite a bit of a project, but I managed to finish it all in one day! I started from scratch, wanting to implement the widget in pure Javascript with no external dependencies. Between LocalStorage, EventSource, query selectors, and a few other key pieces, the browser APIs have gotten a lot better since the last time I tried this about 7 years ago!

Now when you go to my website, you'll see a chat icon in the bottom corner if I'm online!

If I'm not online, the icon just doesn't appear. The widget knows whether I'm online thanks to a little script that runs on my computer while it's awake.

If you click the icon, a chat window will pop up and you can type into it.

On the backend, this creates a new IRC channel on my private IRC server, and sends me an invitation to join it. It also sends a message to a primary channel with some information about the visitor that just connected, including the URL of the page they were on when they clicked it, their IP address and browser user agent. I don't have any other way to establish their identity other than talking with them.

The whole project is open source, along with some pretty detailed installation instructions. In order to keep the code to a minimum, I used some server-side tools such as the nginx push-stream module.

We'll see if anyone ends up using this to get in touch with me!

The design of the chat window really reminds me of Facebook, from back when I tried Facebook :)

By the way, your wordpress has two indieweb issues currently:

  • notes have type h-as-note (which is unnecessary) but not h-entry (which is absolutely required) — as a result my replies have just a link to your note instead of a nice reply-context;
  • replies to comments are just wordpress comments that have no permalink — as a result my site can’t show them as replies (I guess you could just not use WP comment replies and reply with reply posts deliberately…).

But yeah, I went with a homemade solution. That was… a lot of time spent. Though I did everything in the hardest way possible :D

in reply to

I'm not exactly sure what you mean, but any feedback, ideas, proposals are always appreciated, e.g. on ! Would love to discuss how to integrate the two better.

I mean, an alternative endpoint discovery mechanism — if WebFinger is not available, just fetch the URL and look up links with the remotestorage rel in the Link HTTP header and HTML body, the same way Micropub and Webmention endpoints are discovered.

in reply to

9 years later, I'm blogging again

2 min read

I started my first blog in 2005, only to suspend it in 2008. However, my urge to break the character and formatting limits of Twitter, Mastodon, and short-form status posts in general, has been growing for years now.

So I think it's finally time to blog again. No 10-page thinkpieces, but slightly longer-form thoughts and ideas, plus maybe the occasional essay.

Topics will mostly be decentralized (pardon the Zs) and federated Web and communication technologies. Personally, I'm working on remoteStorage and Kosmos, so expect me to write about those more than about others. Also, I'm concerned both professionally and personally with the Web Platform in general, and installable, offline-capable apps in particular.

Regarding comments: this is my personal IndieWeb-enabled website (running on Known), so if you'd like to reply in long form as well, you can send Webmentions to my post URLs. I'm also syncing comments from Twitter and Facebook back to my site, so if you reply there, it will also be seen here.

So, let's see how this experiment goes!

Update: The RSS feed for just the blog posts (minus status posts and all other content) is located here.

nice! I’ve been thinking about remoteStorage + IndieWeb… would be nice if remoteStorage got an option to use a link rel instead of WebFinger :)

in reply to

This morning, I read an interesting post by Don Williamson about how he removed Disqus comments from his site and moved to hosting his comments on GitHub, using some very creative hacks. Learning about the hacks he used is pretty fun, but I actually found his exploration of Disqus and its aggressive tracking more interesting. On the impact of performance on his site from using Disqus, Don pointed out:

Load-time goes from 6 seconds to 2 seconds.

There are 105 network requests vs. 16.

There are a lot of non-relevant requests going through to networks that will be tracking your movements.

He then goes into detail listing all of the ad networks and trackers that are pulled into a site when Disqus is enabled, and its terrifying: - Obviously! - Multiple requests; no idea who’s capturing your movements. - If you’re logged into Facebook, they know you visit this site. - Google will also map your visits to this site with any of your Google accounts. - LiveRamp identify mapping for harvesting your details for commercial gain. - Identity tracking for marketing campaigns. - Pretty suspect site listed as referenced by viruses and spyware. - More identity and movement tracking site which even has a virus named after it! - We all know this one: ad services and movement tracking, owned by Google. - Very shady and tricky to pin-point an owner as they obsfuscate their domain (I didn’t even know this was a thing!). Adds a tracking pixel to your site. - More tracking garbage, albeit slightly more prolific. - Advertising and tracking that suppposedly uses machine learning. - Obsfuscated advertising/tracking from Rapleaf. - “Deliver a personalized customer journey across devices, channels and platforms with Adbrain customer ID mapping technology.” - Oracle’s Datalogix, their own tracking and behavioural pattern rubbish. - OK, I cant’t be bothered to search to look this up anymore. - More? Oh, ok, then… - Yup. Tracking. - Tracking. From Adobe. - I’ll give you one guess… - … - Curious name, maybe it’s… no. It’s tracking you.


Including third-party JavaScript libraries on my site like choosing a sexual partner: you better know who that third party has been in bed with, or you'll be in for a nasty surprise.

Comments and comment spam are hard. But, that doesn't mean we should turn over control of our interactions to companies that choose to leverage your audience and your data for their own profit. Own your interactions!


That “sexual partner” comparison sounds somewhat inappropriate ;) seriously though, when Troy Hunt complained about non-HTTPS trackers, a Disqus employee showed up and turned tracking off for his site. It sounds like there’s a checkbox that disables the tracking!

in reply to

Even though I only owned an X200 for 3 years, the laptop from 2009 was becoming aged, no matter how many things I replaced on it, so sadly, it was time to look for an alternative.

“The F key are not F, but multimedia by default” you can change that in firmware settings, or temporarily by using the Fn Lock.

The smaller {[ etc. keys — that’s only on the ISO layout! My ANSI X240 has these keys normal sized.

Opening the bottom plastic latches is easy with a plastic card, I’ve opened my X240 several times, never left any opening marks :)

in reply to

Two weeks ago I wrote that I hacked my own site. I think it’s important to share how I did it, to make people more aware of possible vulnerabilities, so they can find them too. If others didn’t write about their findings, I wouldn’t have found this one.

I did my best to reach out to people using the same code. If you are using the Kirby Webmentions plugin or my fork of it, please make sure to update!


As some of you may know, my site supports webmentions. In short, this enables me to show replies underneath my posts, that are written by people on their own site. If you write a reply, link to me, mark it up with Microformats and send a webmention, my site fetches your post and shows it as a reply. I use a service called Bridgy to also receive comments from Twitter and Instagram. All of this is automated and very cool.

However, while very cool, it is also potentially dangerous to show external content on your site. The vulnerability I found is an example of what can go wrong.

If you look around on my site, you see I do not only show the content of the reply, but also a picture of the author, if provided. This is especially nice when showing likes:

This nice overview of likes comes from the Kirby Webmentions plugin by Bastian Allgeier, which I modified a bit.

My server takes the fall

In order to protect visitors of my site from other security issues, the plugin downloads the images and shows those downloaded ones. This way my visitors only deal with my server, and not with the servers of everyone who liked my post. It’s a nice service, but it also means that I move the problem: I now have to handle those images with care on my side. My server takes the fall for my visitors.

The problem is: my server just downloads whatever image you give it. In most cases, this will be a nice avatar I can display for my friendly visitors. But one can think of a case where a not-so-friendly visitor feeds my site something else than an image. The plugin of course checks if it’s an image and rejects files that are not a image, but it’s still worth a try.

So, what did you feed it?

Since my server runs on PHP, the nicest thing for an attacker to feed my server is a PHP-file. That way, you can run whatever code you want on my server, doing all kinds of evil things. However, just straight off feeding my site a PHP-file did not work. The plugin is not crazy. It checked wether the MIME of the file was an image of type jpeg, png or gif. It rejected an image.php file like this:

echo "hi!";

Using image.jpg as filename would fail too: the plugin saw that the file had no MIME of an image, so it did not download it. This was the point where I went to bed with a feeling of security: my site was safe and I could not get a php-script in.

The next day, however, I had second thoughts. I needed a real image for my new plan, so I took a screenshot of a smiley. I then opened it in notepad and added the following to the bottom of the file:

<?php mail(‘’, ‘Seb’, ‘hi’);

I then renamed the file to image.php, because you need the PHP-extension in your file to let the server run your code. The last step was disabling PHP on my test-server, to prevent the test-server from executing the code and send mail me. The code just appeared at the end of the image.

I then made a test-post with a u-like-of set to the URL of a post on my blog, and a p-author h-card with an <img src="/photo.php">. It was a like, with an author and an my bad image.

And it worked.

The server sees the image and checks for the MIME, which was image/jpeg, because it was an image. It then downloaded it, including the un-executed PHP string in the bottom of it. It changed the name of the image into the SHA1-hash of the original image-url, but then it appended the extension of the original file, which was .php!

My server then had a file called a266d629bb26d74752080bb1b95bbd0a488bea53.php, which was linked as an image in my post. Every time I refreshed the page, the snippet of code in the bottom of the file got executed, so it sent an e-mail to me.

In this example, I sent an e-mail, but it could’ve been anything.

How to solve?

First off: check your input! And then check it again. A crucial thing for PHP-files is that they get executed if they have the .php extension, so you should not rely on user input for that. Change the filename and change the extension.

Bastian updated the plugin, so now it does not only check for MIME, but also only accepts files with the extensions jpg, jpeg, png and gif. Only if it has a correct extension, it downloads the file, and it checks MIME twice, both before and after the download. I think it’s locked down pretty well, although it still feels a bit scary.

Aaron Parecki, who did this way of showing likes first, uses an external service for his webmention images, and that’s not a bad idea either. If someone manages to get in something bad, it’s not on your the same server as your site. It could also be a good idea to turn off PHP for your upload folder, if you have that kind of access to your server.

Final words

I really like this webmention plugin! It’s thanks to this plugin that I know IndieWeb and all the wonderful things it brings.

But while the plugin and IndieWeb are nice, it’s also good to keep and eye on security. At this moment, webmention is relatively safe because not many people know about it or use it. Although it can be a lot of fun to have a post of a friend automatically show up beneath your post, we have to be aware of the risks of showing content of external parties.

So, be warned, and have fun.

Yeah, this is the one of the big problems with PHP, and Apache mod_php specifically. You can implement various mitigations (drop an .htaccess into the uploads directory that turns off any script execution?) but the fact that you have to is kinda ridiculous. Pretty much all other web development environments are not based around just running scripts from the same directories where static files are. Heck, Apache’s CGI implementation was better, it only ran code from the /cgi-bin/ subdirectory!

in reply to

Last week, Barry Frost released Micropublish, a Micropub client written in Ruby. It's a very slick interface for posting a few kinds of posts. I noticed that his "category" field looked really nice, and discovered that he was using a Bootstrap plugin called "Token Field". Today I added this plugin to Quill, so now everywhere that you previously had to enter tags as comma-separated values, it's now using this "token field" UI.

I also added a new field to the editor to set the published date of posts. 

All this does is include the date you enter as the published date in the Micropub request. It's up to your site to decide what to do with that. For example if you enter a date in the future, your site can decide to not show future-dated posts in feeds, so you can use this for scheduling posts. Of course if you enter a date in the past you can backdate posts such as when importing posts from an old blog.

Released last week? Oh. I guess I’ve been using the “unreleased” version. Now it has edit/delete/undelete functionality! That’s very nice.

in reply to

Of course things like software quality, bad UX (e.g. still none of the hands-off/continuity features work) are a reason for me: why would I pay the „Apple tax“ if „it simply works“ is no longer true?

Another reason is the hardware, and that's a complex one. On one hand Apple hardware is really good, e.g. the touchpads are the best I know. But on the other hand they do stupid things like soldering the SSD and RAM onto the board or gluing the battery. At least the SSD should not be soldered, as I use my hard disks heavily (due to big databases) it is likely that it breaks before the computer is broken.

Also software freedom is a reason. I like the ideals behind the GNU project and think this is the right way.

But my absolutely main reason is performance. Linux performs so much better... I have a script touching and inserting about 2 million rows, one at a time. My Linux finishes the job within two hours, while my macbook needs six(!!) hours to complete the task. The overall performance is so much better, and disk I/O is in its own league.

Yeah, the “soldered SSD” thing is extremely ridiculous. Like, they’re doing everything to make the laptops thinner, even the “Pro” line. Adding M.2 and SODIMM slots wouldn’t even add that much thickness! And M.2 allows the same performance (NVMe) as soldering the SSD.

By the way, Apple trackpads aren’t that special (until 3d touch, at least). They’re literally just Synaptics, same as in a lot of laptops.

in reply to

In this interesting article Wesley Moore writes about switching away from macOS. He writes about his motivation and reasons:

  • Access to regularly updated, pro hardware.
  • Not restricted to Apple hardware that makes choices that I don’t value, such as:
    • Removing the Esc key.
    • Removing all legacy ports necessitating the use of dongles for everything.
    • Prioritising thinness and weight over everything else.
  • Access to hardware that Apple doesn’t make, such as 2-in-1 laptops.
  • Getting comfortable with an alternative before I’m forced to.
  • The ability to inspect and contribute to the OS I use.
  • Using an OS where developers are first-class citizens.

I can understand his reasons: I for myself have similar problems with Apple nowadays (besides the moral issues). Interestingly he also favors elementary OS:

Elementary is stunning and definitely my favourite. It won’t appeal to everyone but their philosophies and direction really resonate with me.

I'm trying out elementary as well (using it for a week now, I am pretty happy with it), so it was nice to read that somebody else likes it as well - especially since loads of Linux users I know think that this not the way Linux is supposed to be.

I think some people didn’t like how Elementary is asking for money (pay what you want type thing) on the download page for some reason…

Honestly, I recommend not being tied to a particular OS and just, like, using all of them. I have Windows on my desktop, FreeBSD on my laptop, RPi and servers, Arch Linux in a VM… no (actively used) Macs anymore though :D