Recent searches
Search options
Hey, all. I need some Web programming help.
As some of you know, the URL form of our Webfinger handles here on the Fediverse use the prefix `acct`, like `acct:evan@cosocial.ca`.
It would be great to have Web apps that can accept `acct` URLs as input and show you the information about that Fediverse account. So if you link to someone with their Webfinger handle, clicking it would take you to your Mastodon client or a dedicated app just for reviewing these accounts.
There's a cool feature called `registerProtocolHandler` in Web browsers that makes this possible.
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler
Unfortunately, `acct` is not one of the prefixes that can be used that way. I'd like to ask the WHATWG to add it to the list of protocols that can be used, but I wanted to have a demonstration app first that would show it. So, I made a site to test out the registration. I couldn't use `acct`, so I made it work with `web+acct`, which is how you can work with protocols not on the allow list.
I was able to get the functionality working OK, but not great. I'd like to have a better interface, but it will pull a Webfinger account and show your profile information.
Unfortunately, the demo Web site that this code runs on was up for like 36 hours before I started getting this scary message in Chrome.
It's still possible to get there, I guess.
If you'd like to see, you can click here. I'd recommend using an incognito window or something, just to be sure. Don't click links with security warnings just because someone asks you to nicely!
Anyway, the only two things exceptional about this site are that it fetches Webfinger and ActivityPub data (not that exceptional) and that it uses `registerProtocolHandler`.
I would like to know how to use that feature without going to Chrome jail.
I registered with Google Search Console for *.swf.pub, and it tells me there's a security issue.
"Detected issues: Deceptive pages. These pages attempt to trick users into doing something dangerous, such as installing unwanted software or revealing personal information."
There's a link to a description here:
https://support.google.com/webmasters/answer/9044101#zippy=%2Cdeceptive-pages
I don't know if this feature is going to work if every Fediverse service will need to go through a security audit to allow handling a protocol.
Anyway, I think I'm going to work on the presentation so it at least looks better, then get a security audit. Hopefully it becomes less of a scary minefield.
@evan is it a false positive? Or did you find that a hacker was in there?
@seth False positive. It's an example Web app with like 200 lines of code.
@evan
Why are you trying to deceive innocent bystanders into running shockwave flash crapware? You should be flogged severely, I says! 
@RuiSeabra lol, that might be it!