Hey, all. I need some Web programming help.
As some of you know, the URL form of our Webfinger handles here on the Fediverse use the prefix `acct`, like `acct:evan@cosocial.ca`.
Conversation
Notices
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 00:11:36 JST 
Evan Prodromou
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 00:13:38 JST
Evan Prodromou
It would be great to have Web apps that can accept `acct` URLs as input and show you the information about that Fediverse account. So if you link to someone with their Webfinger handle, clicking it would take you to your Mastodon client or a dedicated app just for reviewing these accounts.
There's a cool feature called `registerProtocolHandler` in Web browsers that makes this possible.
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 00:16:07 JST
Evan Prodromou
Unfortunately, `acct` is not one of the prefixes that can be used that way. I'd like to ask the WHATWG to add it to the list of protocols that can be used, but I wanted to have a demonstration app first that would show it. So, I made a site to test out the registration. I couldn't use `acct`, so I made it work with `web+acct`, which is how you can work with protocols not on the allow list.
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 00:17:06 JST
Evan Prodromou
I was able to get the functionality working OK, but not great. I'd like to have a better interface, but it will pull a Webfinger account and show your profile information.
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 00:21:24 JST
Evan Prodromou
Unfortunately, the demo Web site that this code runs on was up for like 36 hours before I started getting this scary message in Chrome.
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 00:22:35 JST
Evan Prodromou
It's still possible to get there, I guess.
If you'd like to see, you can click here. I'd recommend using an incognito window or something, just to be sure. Don't click links with security warnings just because someone asks you to nicely!
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 00:26:50 JST
Evan Prodromou
Anyway, the only two things exceptional about this site are that it fetches Webfinger and ActivityPub data (not that exceptional) and that it uses `registerProtocolHandler`.
I would like to know how to use that feature without going to Chrome jail.
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 00:33:54 JST
Evan Prodromou
I registered with Google Search Console for *.swf.pub, and it tells me there's a security issue.
"Detected issues: Deceptive pages. These pages attempt to trick users into doing something dangerous, such as installing unwanted software or revealing personal information."
There's a link to a description here:
https://support.google.com/webmasters/answer/9044101#zippy=%2Cdeceptive-pages
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 00:36:57 JST
Evan Prodromou
I don't know if this feature is going to work if every Fediverse service will need to go through a security audit to allow handling a protocol.
Anyway, I think I'm going to work on the presentation so it at least looks better, then get a security audit. Hopefully it becomes less of a scary minefield.
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 00:39:59 JST
Evan Prodromou
@seth False positive. It's an example Web app with like 200 lines of code.
-
Embed this notice
Seth :rebel: :fist_raised: (seth@socl.bz)'s status on Sunday, 24-Nov-2024 00:40:00 JST 
Seth :rebel: :fist_raised:
@evan is it a false positive? Or did you find that a hacker was in there?
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 00:42:24 JST
Evan Prodromou
@tony Yeah, I need to figure out a way around CORS. It's all running in the browser right now, so the fetch() call is failing on your site. I think the "right" thing to do is to proxy a call through a back-end server, but that would mean a lot more work for this teensy demo.
-
Embed this notice
Tony Hoyle (tony@toot.hoyle.me.uk)'s status on Sunday, 24-Nov-2024 00:42:25 JST 
Tony Hoyle
@evan web+act links are url encoded on opening eg. https://acct.swf.pub/#web%2Bacct%3Aevan%40cosocial.ca
Which just returns a blank page.
Only chrome thinks it's dangerous though.. Firefox works.
In my username it just says 'failed to fetch' but maybe I'm expecting too much of an example :p
-
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 01:11:56 JST
Evan Prodromou
@mradcliffe Nice to know!
-
Embed this notice
mradcliffe (mradcliffe (he/him)@nokoto.org)'s status on Sunday, 24-Nov-2024 01:11:58 JST 
mradcliffe
fetch can be used without CORS setting mode to "no-cors", which should work for a GET, but may get rejected by the server, @evan.
const response = await fetch('https://example.com/.well-known/webfinger?resource=acct:example@example.com', {mode: 'no-cors',});
More -
Embed this notice
Rui Seabra (ruiseabra@mastodon.social)'s status on Sunday, 24-Nov-2024 03:02:34 JST 
Rui Seabra
@evan
Why are you trying to deceive innocent bystanders into running shockwave flash crapware? You should be flogged severely, I says! 🤪 -
Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 24-Nov-2024 04:19:08 JST
Evan Prodromou
@RuiSeabra lol, that might be it!
-
Embed this notice
All GNU social JP content and data are available under the