Aaron Parecki

infinite love ⴳ https://mastodon.social/@trwnh • May 13
@aaronpk i'm all for using grid, but <tr> is a 1D row element so there's no real difference w flexbox, is there? you could use align-items: stretch

The problem is the <td>s. As display: table-cell, they can't also be flexbox containers to have the contents stretch to the full height of the cell. I need them to be display: flexbox, which means they can't be a table, so then I can use the grid to create the <tr> and flexbox again to contain the rows in the <table>

Rotterdam, Zuid-Holland, NLD

1 like

Mon, May 13, 2019 6:16pm +02:00
cambridgeport90 https://micro.blog/cambridgeport90 • May 12
@aaronpk Can I ask a question? I wannt to set up an Aparature instance. Am I able to follow straight up RSS feeds up there? Want to follow venders and company blogs as well as personal ones. Possible, isn't it?

Yeah absolutely! It also supports jsonfeed so you can even follow your micro.blog timeline there too!

Düsseldorf, Nordrhein-Westfalen

1 reply

Mon, May 13, 2019 9:39am +02:00
Jakob L. Kreuze http://jakob.space • May 11
Hoo, this comments section is a bit of a mess. Anyway, I'm just testing out Webmentions like everyone else. Don't mind me...

I didn't realize it had gotten so bad!

Düsseldorf, Nordrhein-Westfalen

Sun, May 12, 2019 12:11am +02:00
Christian Schaefer https://twitter.com/derSchepp • May 11
@aaronpk @adaction @RosemaryOrchard we are already at the Fleher Hof down the road, as it already had opened.

Cool we will head over! It was closed when we got there

Düsseldorf, Nordrhein-Westfalen

Sat, May 11, 2019 6:13pm +02:00
https://adactio.com/notes/15129

see you soon! 👋

Düsseldorf, Nordrhein-Westfalen, DEU

Fri, May 10, 2019 5:10pm +02:00
Scott Kingery https://twitter.com/TechLifeWeb • May 9
#indieweb folks: It appears OwnYourGram is broken for me. Worked up until around the end of March. I think something might have hanged on my host. I’m getting a “Mod_Security” error. What do I need to tell them to fix?

Could be a number of things, but here's what we've seen before: https://indieweb.org/Wordpress_IndieAuth_Plugin#Troubleshooting

Frankfurt am Main, Hessen, DEU

1 like

Fri, May 10, 2019 12:32pm +02:00
rosemaryorchard https://micro.blog/rosemaryorchard • May 8
@jeremycherfas Not precisely related, but I changed my Instagram to a business account (me being the business), and now I can post to it automatically through Buffer. Just single images, but it's a start! (It notifies me it it's a multi image post and when it can't automatically post, so I can finish it manually.)

Have there been any negative side effects of converting to a business account? I've been curious about that but afraid to try it out.

Portland, Oregon, USA

2 replies

Wed, May 8, 2019 8:20pm -07:00
Lena Hall https://twitter.com/lenadroid • May 8
I really want to write about everything behind the scenes of #ML4ALL, but things are intense at work.

While I am multitasking, you can enjoy all of the talk videos on machine learning online thanks to @aaronpk & @backpedaltv!

https://www.youtube.com/watch?v=xPuVbDfEUvE&list=PLOnHsSCrR68xBQITh2Sf9YjD_z26p0Kt0&index=30

Be sure to check out my behind the scenes video of how I filmed all the talks too! https://youtu.be/epKA84wK9ls

Portland, Oregon, USA

3 likes

Wed, May 8, 2019 12:28pm -07:00
eneiluj https://framapiaf.org/@eneiluj • May 6
@aaronpk Well I guess it's quite stressful to provide software to such a huge amount of users. Check out the issue counter on Nextcloud server repo. Maybe there's a lack of tact in their answer but it does not justify the aggressive comments they get in return. Free software development is also about respect and constructive criticism IMHO. My (very basic and subjective) perception is that they say it's not fair to be attacked for a delay in the bug resolution. I'm sure the bug will be fixed.

Literally even just a "we recognize this is a problem and don't have the resources to fix it right now" response would have been better than staying silent, and would have prevented most of the frustrated responses. I also don't see any attacks there, certainly no personal attacks, just a lot of frustrated and confused people.

Portland, Oregon

Mon, May 6, 2019 4:16pm -07:00
eneiluj https://framapiaf.org/@eneiluj • May 6
@aaronpk Which part disappoints you? I've red the whole thread and from what I get: When a fix is done, it will be available for everybody. Sounds good to me. I'm rather disappointed by such harsh criticisms. It does not sound fair considering the hard work Nextcloud team/contributors are doing to produce an amazing publicly available Free Software. #ILoveNextcloud 😉

Complete lack of acknowledgment of the problem, an accusation that the problem doesn't exist unless you're an enterprise customer paying for support, followed by an abrupt closing of the thread without any real response.

Portland, Oregon

1 reply

Mon, May 6, 2019 3:35pm -07:00
📷 PhotoJoseph https://twitter.com/photojoseph • May 6
Good morning, world! How did you start your week?

a run is an excellent idea, but instead I spent the day editing my behind-the-scenes video of last week's shoot: https://www.youtube.com/watch?v=epKA84wK9ls

Portland, Oregon, USA

1 like

Mon, May 6, 2019 8:37am -07:00
Even André Fiskvik https://twitter.com/grEvenX • May 3
In the process of changing how we authorize the users in our web app and I’m wondering what route to take. Do you know about any simple proxy-like services for Oauth 2 Auth code flow (not OIDC) that can keep sessions and handle Auth for any SPA ?

Plenty of server-side frameworks can do this, I'm not sure about something as a service though. Also not sure if you'd really want to go down the path of offloading that kind of thing to a different site either.

Portland, Oregon

1 reply

Sat, May 4, 2019 9:46am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk Yep, but in that case the attacker controls the redirect uri right? how can the attacker control the redirect uri without also controlling the pkce secret?

I'm trying to explain this in 200 character chunks but it clearly isn't working. I also can't find an existing page quickly that explains it better, so clearly I need to properly write it up.

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 4:41pm -07:00
Nico Kaiser https://twitter.com/nicokaiser • May 2
... assuming I can control what JS code runs on my site (which is a different problem), this should be safe, right?

That's a big assumption (you don't know what browser extensions the user is using) but yes that's one way to be more confident. I wouldn't use absolute terms like "safe" though. "Less risky" maybe.

San Jose, California • 49°F

Thu, May 2, 2019 4:31pm -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk you linked to "Insufficient Redirect URI Validation" though? maybe i'm just confused about what you were talking about.

Right, that's one way to steal data out of the redirect even if the browser is doing everything right.

The attacker creates a redirect url at the hostname of the real app but uses an endpoint on the app that can then redirect to the attackers app. Chaining the redirects using an open redirector.

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 4:30pm -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk Yes, i get that, but the attacker can make the access token request just as easily as the legitimate client.

No it can't, because the attacker won't have the PKCE secret at that point. (We're talking about the case where the code is stolen out of the redirect through one of many mechanisms)

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 4:26pm -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk no, I understand that one, I just still don't see how pkce helps improper redirect validation (since the pkce secret and redirect URI come from the same request)

PKCE makes the auth code useless if it's stolen. In PKCE the secret isn't sent out until the access token request.

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 4:21pm -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk huh? But the redirect_uri is controlled by the same person who controls the code_challenge

That particular attack doesn't assume a malicious browser, that one is improper redirect uri validation. I should probably just write up better explanations of all the attacks in that document but they are all described there.

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 4:17pm -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk isn't the section you linked to just as much of a concern under the authorization code flow as the implicit flow? since javascript clients are public clients no matter what?

Nope because PKCE solves the problem of the thing being stolen during the redirect.

San Jose, California • 49°F

1 reply

Thu, May 2, 2019 3:39pm -07:00
Nico Kaiser https://twitter.com/nicokaiser • May 2
What is your opinion on refresh tokens in client-side apps? The PKCE Auth Code flow allows issuing refresh tokens, so SPAs can refresh their tokens without relying on web_message (possibly cross-domain) iframes. ...

Totally depends on your risk tolerance. Browsers are always a more risky environment, so that's something to keep in mind with refresh tokens.

If you are going to issue refresh tokens to JS, definitely rotate them after every use.

Sunnyvale, California • 49°F

1 like

Thu, May 2, 2019 3:32pm -07:00

older