01:03:07  * dguttmanquit (Quit: dguttman)
01:03:24  * contrahaxquit (Quit: Sleeping)
01:03:47  * contrahaxjoined
01:08:54  * contrahaxquit (Ping timeout: 276 seconds)
01:52:33  * contrahaxjoined
01:56:22  * dguttmanjoined
02:10:52  * dguttmanquit (Quit: dguttman)
03:13:42  * contrahaxquit (Ping timeout: 246 seconds)
03:15:16  * contrahaxjoined
05:52:24  * phatedjoined
06:00:03  * pfallenopquit (Ping timeout: 240 seconds)
06:02:19  * fotoveritequit (Read error: Connection reset by peer)
06:02:41  * fotoveritejoined
06:10:32  * fotoveritequit (Ping timeout: 258 seconds)
06:16:10  <mappum>substack: i have an idea for an alternative if the browser people never make hyperboot possible. but it might only be useful for a few use cases, e.g. bitcoin and stuff where you don't trust the app with your private keys
06:18:11  * phatedquit (Read error: Connection reset by peer)
06:18:21  <mappum>the app can be hosted on multiple domains, and use Schnorr threshold signatures for private key crypto. with that, you can generate a single pubkey which is based on multiple private keys, and some number of keys in the set have to sign for the signature to be valid
06:18:45  * phatedjoined
06:19:08  <substack>interesting
06:19:47  <mappum>so if it's bitcoin, your money can only be spent if M of N of the apps agree on signing the transaction. so even if some servers become evil, they can't take your money
06:21:02  <substack>what would protect against the javascript payload that any server may send for the code that deals with the finalized key?
06:21:34  <substack>or would each js payload only be aware of part of the payload, and signs something in a tricky way that makes it so that no party has the complete key
06:22:12  <mappum>no code ever has access to one master key. the Schnorr crypto math makes so each one only ever has their key share, and just sends their unique signature
06:22:36  <mappum>but any of them can combine signatures from the various keys and create the final signature
06:23:45  <mappum>the bitcoin devs have been planning on adding this for a while. Ed25519 is based on Schnorr so it supports this
06:24:10  <substack>I see, cool
06:25:05  <mappum>and even if you didn't have that fancy crypto, you could just make an application have a set of N pubkeys, and require M signatures from the keys in the set
06:25:23  <mappum>bitcoin already does support that, up to 15 keys or something
06:26:40  <substack>what would the UX look like for when a user authorizes a domain to sign a transaction?
06:26:57  <substack>go through them one-by-one and wire up access through post messages?
06:27:58  <mappum>right, something like that. it would be annoying, but maybe you would just do that for large amounts of money and each domain could also have a small amount that it has direct control of for convenience
06:30:05  <mappum>it's kind of like a little p2p swarm in your computer that has to come to consensus to sign things
06:30:29  <substack>that's a bit like those disposable debit cards you can generate with some banks
06:30:50  <substack>for when you don't entirely trust a website selling something online
06:31:25  <substack>the convenience and purchase limit aspect
06:32:26  <mappum>hm, yeah
06:32:42  <mappum>and the swarm-money would be your debit account
06:34:35  <mappum>you could also put some of the key shares on other devices for even better security
06:37:21  * fotoveritejoined
06:38:01  <substack>or some of your friends's devices for extra backup
06:38:11  <substack>in case you lose your devices
06:38:34  <substack>and you could encrypt the data you store with your friends first
06:39:21  <mappum>whoa yeah, that would be cool. or if you don't encrypt it then at a certain point it becomes a DAO :P
06:42:02  <mappum>there are already some bitcoin people who use this for company funds, where each board member has a key
06:42:15  <mappum>but i don't think anyone has done keys shared across multiple apps
06:47:00  * parshap_joined
06:47:42  * toddself_joined
06:50:00  * kanzure_joined
07:02:32  * hughsk_joined
07:03:13  * phatedquit (Remote host closed the connection)
07:04:44  * toddselfquit (*.net *.split)
07:04:44  * kanzurequit (*.net *.split)
07:04:45  * cubertfarnsquit (*.net *.split)
07:04:45  * farnsworthquit (*.net *.split)
07:04:46  * harrowquit (*.net *.split)
07:04:46  * hughskquit (*.net *.split)
07:04:46  * parshapquit (*.net *.split)
07:06:01  * hughsk_changed nick to hughsk
07:07:00  * harrowjoined
07:07:10  * parshap_changed nick to parshap
07:14:46  * cubertfarnsjoined
07:14:46  * farnsworthjoined
07:15:42  * phatedjoined
07:17:55  * fotoveritequit (Quit: fotoverite)
07:20:00  * phatedquit (Ping timeout: 250 seconds)
08:17:04  * hyperirc-9d25a90quit (Remote host closed the connection)
08:17:26  * hyperirc-9d25a90joined
08:31:13  * contrahaxquit (Ping timeout: 258 seconds)
08:32:34  * contrahaxjoined
09:16:47  * phatedjoined
09:21:20  * phatedquit (Ping timeout: 250 seconds)
10:19:27  * contrahaxquit (Ping timeout: 276 seconds)
10:21:27  * contrahaxjoined
10:33:29  * thealphanerdquit (Quit: farewell for now)
10:33:59  * thealphanerdjoined
11:16:09  * phatedjoined
11:20:30  * phatedquit (Ping timeout: 250 seconds)
12:15:40  * pfallenopjoined
12:29:03  * kanzure_changed nick to kanzure
12:37:48  * pfallenopquit (Remote host closed the connection)
12:38:02  * pfallenopjoined
13:31:48  * dguttmanjoined
13:53:58  * dguttmanquit (Quit: dguttman)
14:24:23  * contrahaxquit (Quit: Sleeping)
14:34:58  * dguttmanjoined
14:44:11  * dguttmanquit (Quit: dguttman)
14:50:32  * dguttmanjoined
15:03:50  * contraha_joined
15:10:59  * contraha_quit (Ping timeout: 258 seconds)
15:10:59  * contrahaxjoined
15:25:13  * contrahaxquit (Ping timeout: 258 seconds)
15:26:10  * contrahaxjoined
15:30:33  * contrahaxquit (Ping timeout: 240 seconds)
15:32:01  * contrahaxjoined
15:43:25  * contrahaxquit (Ping timeout: 252 seconds)
15:44:23  * contrahaxjoined
15:57:28  * contrahaxquit (Ping timeout: 244 seconds)
15:59:03  * contrahaxjoined
16:05:46  <mikolalysenko>what options are there for persistent state in web applications?
16:06:48  <mikolalysenko>and also, why on earth is the limit for localStorage only 5 mb?
16:07:08  <mikolalysenko>there should at least be some way to ask the user to opt-in for upgrading to a larger cache if they want
16:09:31  <pfraze>you speak the anger of a thousand webdevs
16:09:56  <pfraze>the other option is indexdb
16:11:58  <pfraze>pouchdb is a good wrapper around it
16:13:32  <mikolalysenko>seems like it's all terrible :(
16:13:41  * shamajoined
16:13:44  <mikolalysenko>but at least we got fat arrows and promises now...
16:17:24  <pfraze>that's the spirit!
16:24:28  <noffle>mikolalysenko: don't forget about es6 modules
16:24:38  <noffle>thank goodness we got dem es6 modules
16:31:35  <pfraze>the other day, I read up on why websql never happened. (which, btw, was not a very well-made spec, but still)
16:32:06  <pfraze>mozilla sunk it because they felt like theyd have to implement their own version of sqlite
16:32:51  <substack>mikolalysenko: level-browserify is a nice indexeddb wrapper
16:33:00  <substack>and you can use everything from the level ecosystem
16:41:30  * contrahaxquit (Ping timeout: 246 seconds)
16:44:07  * contrahaxjoined
16:48:37  * contrahaxquit (Ping timeout: 260 seconds)
16:49:11  * contrahaxjoined
16:53:24  * contrahaxquit (Ping timeout: 246 seconds)
16:55:51  * contrahaxjoined
16:59:51  * contrahaxquit (Ping timeout: 240 seconds)
17:04:24  * contrahaxjoined
17:12:56  * phatedjoined
17:17:33  * phatedquit (Ping timeout: 250 seconds)
17:19:08  * toddself_changed nick to toddself
18:27:19  * contrahaxquit (Ping timeout: 244 seconds)
18:28:53  * contrahaxjoined
18:54:17  * contrahaxquit (Quit: Sleeping)
19:09:55  <mikolalysenko>am I confused, or is CORS just really stupid?
19:10:16  <mikolalysenko>CSP makes sense, but the rules around CORS just seem arbitrary and pointless
19:11:02  <mikolalysenko>there must be some subtle way to exploit things if CORS isn't followed, but it just isn't clicking what the problem is that it solves
19:11:09  <mikolalysenko>other than making everyone's page break for no good reason...
19:13:27  <mikolalysenko>I guess CORS discourages hot linking to images/assets hosted on other servers?
19:14:15  <mikolalysenko>but if browsers just implement the referrer header correctly you could still block that stuff if it really offended you
19:14:39  <dguttman>CORS doesn’t apply to images, does it?
19:14:47  <mikolalysenko>basically CORS moves the web from "default hyperlinks work" for assets to "default hyperlinks fail"
19:14:50  <mikolalysenko>yeah it does
19:15:16  <mikolalysenko>it often gets mixed up with CSP, which is actually a pretty sensible idea
19:15:29  <mikolalysenko>but CORS is totally nuts
19:15:44  <dguttman>interesting, haven’t run into it for that, just when trying to fetch data from other domains
19:16:05  <mikolalysenko>you can set the crossOrigin attribute on the image
19:18:35  <pfraze>yeah I think CORS is meant to stop requests from webpages that you dont authorize, as a server
19:18:47  <pfraze>Im 100% sure it applies to XHR
19:30:41  * dguttmanquit (Quit: dguttman)
19:49:04  * contrahaxjoined
20:41:33  <nrn>Default <img> and <script> tags can cause GET requests without regard CORS
20:41:53  <nrn> CORS is mostly about 3rd party sites not being able to do things on behalf of a user on another site, especially things that rely on cookies the user has set on their machine.
21:32:35  * phatedjoined
21:42:55  <mikolalysenko>ah, I see
21:43:17  <mikolalysenko>still seems like a blunt solution
21:43:40  <mikolalysenko>would be better if the default policy was to just not use cookies unless the content accept header was set
21:44:05  <mikolalysenko>so you could still grab stuff like 3d models or audio data from remote servers
21:55:16  * phatedquit (Remote host closed the connection)
22:07:54  * phatedjoined
22:30:07  <mappum>mikolalysenko: if it's your server you can set the 'Access-Control-Allow-Origin ' header to '*' and it will allow cross-domain requests
22:47:50  * myf_joined
22:49:01  * myf_quit (Client Quit)