While I would still say that Chromium generally wins on the security front, I’m happy to see the gap narrow with time and to see Firefox occasionally inch ahead in some areas.| All content on Seirdy’s Home
The four most popular ways to use RDF-based metadata on websites are RDFa-Core, RDFa-Lite, Microdata, and inline JSON-LD.| All content on Seirdy’s Home
Here’s my thought process when deciding whether to block a scraper from seirdy.one, the scrapers I block, the scrapers I allow, and the ways I block them.| All content on Seirdy’s Home
Documenting my low-equipment at-home workout regiment. How I work out, why I work out, my workout split, my list of exercises, and advice I'm soliciting.| All content on Seirdy’s Home
Clicking annotations doesn’t navigate away from your site to a Google search; it triggers an overlay with infoboxes about the term you selected. It’s similar to the iOS “Look Up” option for selected text. It’s wrong to do because this obfuscates what is and isn’t a link the author placed on the page. Inserting what appears to be links into the page crosses the line from user-agent interventions, such as adblocking or turning off certain unsafe features (acceptable) to editing an a...| All content on Seirdy’s Home
Real time collaboration software and text boxes that rapidly save drafts to the cloud essentially log your fingerprintable typing behavior. The industry refers to this information as “keystroke dynamics” or “typing biometrics”.| All content on Seirdy’s Home
I don’t think most people realize how Firefox and Safari depend on Google for more than “just” revenue from default search engine deals and prototyping new web platform features.| All content on Seirdy’s Home
Travelers can leave key fobs at home should they be accosted. A victim of a break-in can conveniently “lose” or smash a hardware key, erasing any encrypted data. Yes, I know about cold-boot attacks; I don’t recommend at-risk people to leave things decrypted for long durations. I like the idea of spring-loaded key fobs that can’t be left plugged in.| All content on Seirdy’s Home
Common Crawl is the closest thing we have to an open index, though it doesn’t meet your requirement of ignoring robots.txt for corporate websites while obeying it for personal sites. Unfortunately, being open and publicly available means that people use it to train LLMs. Google did this for initial versions of Bard, so a lot of sites block its crawler. Most robots.txt guides for blocking GenAI crawlers include an entry for it now.| All content on Seirdy’s Home
Google has a bias against new sites. This makes sense, given their spam potential. I disagree with your argument that a bias against new sites is a pivot away from Experience, Expertise, authoritativeness, and trustworthiness (EEAT): it takes time for a website to become an authority and earn trust. If delayed indexing of new sites is wrong, then the problem lies with EEAT. I argue that EEAT is a good framework for an answer-focused engine, but a bad framework for a discovery- or surfing-foc...| All content on Seirdy’s Home
In the wake of a certain ad-funded browser company bundling adtech into its browser yet again, some people have been recommending Ungoogled-Chromium (UGC). I think it’s fine to recommend UGCwith caveats, such as the fact that it disables component updates that include:| All content on Seirdy’s Home
One thing I’ve noticed is that some tools are incompatible with an XHTML5 MIME type. Site auditors like Lighthouse are only provisionally compatible, and some browser extensions are rather buggy. You can compare them yourself on seirdy.one: switch the MIME type by appending /index.xhtml to a URL. You may have to disable the CSP sandbox by appending ?sandbox=off to the URL to get Lighthouse to work. I keep my site polygot and serve with the text/html MIME type by default for maximum compatib...| All content on Seirdy’s Home
This page at the time of writing grades websites’ progressive enhancement based on their ability to work without JavaScript. Everything, not just JavaScript, should be progressive enhancements.| All content on Seirdy’s Home
My search engine article blew up recently, as yet another major publication linked it (yay! /gen), so I made some fixes:| All content on Seirdy’s Home
The best ways to improve opsec against coercion are to:| All content on Seirdy’s Home
A catalog of all the website improvements I hope to make on seirdy.one, but haven't gotten to yet (and some that I have).| All content on Seirdy’s Home
My curation of over 70 88x31 badges, representing what I and this site use and stand for.| All content on Seirdy’s Home
My previous response to similar concerns is relevant. To elaborate:| All content on Seirdy’s Home
Instead, I made CSS Naked Day participation opt-in with a new a query parameter to the URLs: Just add ?sandbox=broken to the end of any URL on seirdy.one. This query parameter sets a maximally-restrictive Content-Security-Policy header, instructing your browser to block CSS, images, media, and more from loading. The only thing that the CSP will allow is submitting forms (Webmentions). See my CSP Bug Reproduction page for other values you can give the sandbox parameter on seirdy.one and its On...| All content on Seirdy’s Home
I use a quick crypto.FNV32a-based fix for short cache-busting fingerprints that doesn’t directly rely on the unstable .Key method.| All content on Seirdy’s Home
Using neural nets trained on other people’s work to create (and often profit from) new work in their style without compensation is problematic. I don’t think that doing the same for upscaling algorithms is.| All content on Seirdy’s Home
Sourcehut and Codeberg are experiencing reliability issues due to an ongoing layer-3 DDoS attack.| All content on Seirdy’s Home
Any platform able to get away with enshittification will do so when given the incentive. Enshittification emphasizes the process of a platform’s downfall; we should be taking steps to prevent that from happening in the first place by keeping platforms open. Vigilance against enshittification is misplaced when better spent against user domestication.| All content on Seirdy’s Home
An alternative to controversial recommendation algorithms is timeline-filtering algorithms. Feeling pressured to scroll through too much is unhealthy and lends itself to addiction; filtering things down once a user scrolls down far enough should be a welcome opt-in feature.| All content on Seirdy’s Home
I continue to work on my site over break. Today I got the build time down to 3.5 seconds for the Hugo build and just under 3 seconds for post-processing and syntax-checking (mostly using xmllint). I’m not parallelizing the post-processing since my laptop just has two cores (no simultaneous multithreading) and CI has one.| All content on Seirdy’s Home
Instructions for re-building seirdy.one from its source code| All content on Seirdy’s Home
Whenever I discover a new GUI toolkit, my first question is always “is it more native than the Web?” For reference, here are some ways Web apps have better system integration than Flutter:| All content on Seirdy’s Home
The three most popular DNS protocols with transit encryption are DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ). This should help you choose what to use:| All content on Seirdy’s Home
Some have gotten quite large. The Hotline Webring is close to 700 members. The Yesterweb Webring recently shut down because it got too large, past 800 members! Some of the people behind the larger Yesterweb community felt that the webring had gone too mainstream and become a venue for SEO and traffic-boosting rather than a chill network of friendly like-minded people.| All content on Seirdy’s Home
It looks like the Tor Browser is finally addressing some of the accessibility issues inherent to its fingerprinting resistance, starting with Issue 42226: Reduce Customisability of default fonts and colours. The propsed fix of curating common “sets” of settings would add some entropy to everybody’s fingerprint but allow more people to use the browser overall, as it would support some degree of personalization (e.g. dark mode).| All content on Seirdy’s Home
What do people think about Seirdy? These are some quotes about me.| All content on Seirdy’s Home
The primary, hopefully-unintended function of a “real-name policy” is to exclude people and make people less genuine. Many aren’t at home with the name deemed by society to be “real”.| All content on Seirdy’s Home
Firefox 120 appears to have regressed to its older WebKit-like blue focus outlines; it briefly had dual-color white-and-blue outlines.| All content on Seirdy’s Home
Support my work by sending me donations! This helps me continue Fediverse moderation, blogging, and coding.| All content on Seirdy’s Home
What I consider:| All content on Seirdy’s Home
Fedora is a stable distro now, with three levels of pre-release: Rawhide is unstable, Branched is sort of like an alpha release, and Beta is for early adopters.| All content on Seirdy’s Home
WCAG 2.2 removed SC 4.1.1, Parsing (Level A). I maintain that valid markup has important benefits despite no longer being required. We may find it possible to write good software without static analysis, construct a building without blueprints, or make an accessible website without validation. They remain good practices.| All content on Seirdy’s Home
I propose an alternative to the Dead Internet Theory called the Living Dead Internet Theory, an exaggerated version of my actual beliefs:| All content on Seirdy’s Home
I’d suggest looking into the doc-notice, doc-tip, and doc-exampleDPUB-ARIA roles. I’m a big fan of DPUB-ARIA and I do not think it is used enough. I believe Google’s Talkback has the most robust support for it put of any AT I’m familiar with.| All content on Seirdy’s Home
It’s hard to target browsers’ secure profiles. Safari’s Lockdown Mode disables a dozen or so APIs and a handful of other features; the Tor Browser disables another handful of features; Microsoft Edge will likely land more changes to Enhanced Security mode in the coming years. Barely any of this is documented.| All content on Seirdy’s Home
These addons work by injecting or altering stylesheets in the page, and are trivially detectable. A good rule of thumb is that if it can trigger a CSP violation in the developer console, it is trivial to detect with JavaScript.| All content on Seirdy’s Home
I would like to just use Raku rules for a concise way to describe more advanced grammars; I’d then just keep my regexes to the PCRE subset that’s common between Google’s RE2 and the Rust regex crate. I doubt they’re both “regular” but both guarantee linear time matching. Part of the reason I don’t do this is portability. Not everything runs Raku, but almost every platform has a regex engine with the features I need.| All content on Seirdy’s Home
CNET actually didn’t have to delete old articles to improve ranking. If CNET simply removed those articles from its sitemap, used WebSub to inform Google (and IndexNow to inform Bing, Seznam, and Yandex) of new higher-priority pages, and maybe used robots.txt to disallow crawling of stale pages: CNET could keep old content but prioritize the crawling of recent content. Nothing I just described is Google-specific; these are all agreed-upon standards that work across several search engines.| All content on Seirdy’s Home
Before, the DOM Distiller removed elements far too aggressively. The new Screen2x implementation has gone in the opposite direction: it barely removes any of the page’s non-navigation structure. It does, however, remove all the images. figure elements that aren’t images (e.g. block-quotes with citations in figcaption children, or code snippets with descriptions in their captions) lose their captions. Inline code and samp elements lose their semantics and styling, becoming plain inline tex...| All content on Seirdy’s Home
I’m a browser “with the latest in header compression”, fetching a web page. I race a TCP-based ALPN run against an HTTPS record lookup (Chromium’s behavior). Either the HTTP/2 ALPN wins the race, or the HTTPS DNS record does not exist. Both are, and will remain, common scenarios. So I fetch the page over HTTP/2. This is the initial request; dynamic HPACK hasn’t kicked in. I download a 1.56kb HTTP response header:| All content on Seirdy’s Home
The Open-Source Initiative (OSI) is planning to form a definition of “Open Artificial Intelligence” (not to be confused with OpenAI, a company selling proprietary autocomplete software whose technical details only grow less open with each iteration). Unfortunately, odds of the definition requiring the release of training data are slim: the OSI’s executive director isn’t keen on the idea himself.| All content on Seirdy’s Home
Why is my site’s markup polygot XHTML5? I have had to deal with some really awful user-agents:| All content on Seirdy’s Home
We need semantic markup for sarcasm for the best of both worlds! Style sarcasm with CSS and have your client/browser indicate it to you however you prefer.| All content on Seirdy’s Home
I don’t want my content on those sites in any form and I don’t want my content to feed their algorithms. Using robot.txt assumes they will ‘obey’ it. But they may choose not to.| All content on Seirdy’s Home
These are rhetorical questions because you can probably guess the answers. Simple data deletion is a cop-out from the impossible task of un-learning. Consent isn’t as meaningful if it isn’t fully revocable.| All content on Seirdy’s Home
When I talk about website accessibility, I think a lot of people get stressed out and wonder if their personal site passes a really high bar. Some feel pressure to pass every single accessibility requirement they can.| All content on Seirdy’s Home
Everything about Brand Indicators for Message Identification (BIMI) feels so half-baked.| All content on Seirdy’s Home
I don’t think trademarks are, in principal, evil. But anything that has billions of dollars riding behind its ability to get twisted out of proportion will be ruined.| All content on Seirdy’s Home
I’ve previously been an advocate of making websites with long-form body text increase the default size just a bit, since their text should be larger than the one-size-fits-all browser default; interfaces and navigation can be smaller. I didn’t think we should expect users to change their default zoom levels, as that’s a potential JavaScript-free fingerprinting vector.| All content on Seirdy’s Home
Federation is a revocable privilege contingent upon instance staff maintaining a community that other instances feel safe connecting to. If staff fails to meet that obligation, the privilege is revoked. This allows moderation to scale across millions of users.| All content on Seirdy’s Home
instant.page (mentioned in another response) is popular, but it’s not the only game in town. Google Chrome Labs made an alternative called quicklink which also attempts to optimize CPU time by preloading in-viewport pages during idle time. instant.page generally expects you to be using a mouse; results on touchscreens are pretty minimal and probably not worth the extra JS.| All content on Seirdy’s Home
I added an entry to my robots.txt to block ChatGPT’s crawler, but blocking crawling isn’t the same as blocking indexing; it looks like Google chose to use the Common Crawl for this and sidestep the need to do crawling of its own. That’s a strange decision; after all, Google has a much larger proprietary index at its disposal.| All content on Seirdy’s Home
This is so similar to my setup! I run Stylelint and v.Nu too. I send v.Nu output through a JQ filter to filter out false-positives (after reporting them upstream); you might eventually do something similar, since there are a lot of these. Your blog post reminds me that I need something better than regex substitutions for customizing footnote and section links; Hugo’s parallel nature prevents it from doing post-processing of fully-assembled pages. Other tools I use:| All content on Seirdy’s Home
Here’s a compiler flag that slipped my notice: Clear Linux has -fzero-call-used-regs=used in its CFLAGS for security-sensitive x86_64 packages, wiping call-used registers on return to protect against ROP exploits. In my benchmarks, there was almost no perf difference between skip, used-gpr and used which is surprising; I thought that this would really hurt instruction cache optimization.| All content on Seirdy’s Home
I see this as a nice temporary solution to limit ossification introduced by corporate (in)security measures and middleboxes, but I’m not too optimistic about its impact on the CAPTCHA hell brought about by TLS fingerprinting. Increasingly, it looks like hosting providers will just treat any statistical anomalies in their logs as hostile traffic; any variance is a cause for suspicion, when it should be treated as an invitation to make sites more robust and compatible with different user agen...| All content on Seirdy’s Home
Indexing Fediverse posts should be “mandatory opt”, not opt-in or opt-out. Account creation should offer a few checkboxes: indexing could be done by “your instance”, “all federating instances”, and “traditional search engine crawlers”; for each of these, users should be able to choose “none”, “public posts only”, and “all”. Alternatively: there should be a “discoverable” post visibility option that opts you into more advanced discovery options like search or ap...| All content on Seirdy’s Home
Making links recognizable in ways besides color is a basic accessibility requirement; in body text, underlining them makes their starting and ending locations obvious. I’ve recently decided to make a very personal exception:| All content on Seirdy’s Home
Designing tools to make people feel convenienced (the opposite of inconvenienced) is sometimes different from designing tools to make people’s lives better.| All content on Seirdy’s Home
How does Warp stack against other toolkits when it comes to accessibility and system integration?| All content on Seirdy’s Home
I just discovered Yuescript, which is like MoonScript with more features. I have mixed feelings.| All content on Seirdy’s Home
It’s not the most practical choice for everything; I probably would choose something else for a big collaborative project. But it’s an absolute joy to use something that truly feels like “executable pseudocode”, like a simpler Python alternative with a bias towards functional programming. If you can grok Lua’s “tables for everything” model, then the MoonScript language guide should help you pick up the language in minutes.| All content on Seirdy’s Home
I do find their decision to drop JPEG-XL from Chromium problematic because it was clearly an example of them ignoring everyone else, showing the limits of Chromium’s collaborative decision making. However, “pushing their own formats” wasn’t one of their reasons:| All content on Seirdy’s Home
This leaves only a minuscule semantic difference between <i> and <em>, or <b> and <strong>, as outlined in the HTML Living Standard. I don’t think that difference warrants extra elements in the HTML standard: the extra elements likely create more confusion than actual benefit. Over the past decade, I’m unaware of any user-agents treating them differently enough, in a way that aligns with author intent, to matter.| All content on Seirdy’s Home
If you’re willing to do some of that (a big “if”: good communication protocols should make key exchange easier than this), then I’d argue that the initial leap of faith associated with Trust-On-First-Use (TOFU) is mostly a non-issue. However, PGP has its own larger set of issues that make it a poor candidate for communication protocols (complexity/configuration-hell with too many footguns, no forward secrecy, long-lived secrets, etc).| All content on Seirdy’s Home
I see a lot of discussion about the fear that corporations and VCs will take over the fediverse. The thing is, Mastodon going mainstream will require a lot of capital and development of new products and innovations for this ecosystem…Let’s also allow VC-backed startups to flourish building services for all of us.| All content on Seirdy’s Home
I run Lighthouse and WAVE as a “Hey, let’s see what I have ahead of me” kind of thing. A baseline of sorts. Then I go into manual testing| All content on Seirdy’s Home
The fact that I have to have a full WebKit process and actual JS running just to view an EPUB is really infuriating.| All content on Seirdy’s Home
You said something I’d like to draw attention to:| All content on Seirdy’s Home
This was originally a reply to another post. That post has been deleted.| All content on Seirdy’s Home
There’s no real “recommendation algorithm” here. Mastodon 4.x has a “trending” feature, but that’s it.| All content on Seirdy’s Home
Last year, 37signals employees shared the “pyramid of hate” in a work chat in response to seeing a list of “funny Asian names” of customers. Upper management responded by banning discussion of politics at work (I presume “politics” means “anything that creates a sense of social responsibility beyond investor value”). Its handling of the situation caused a third of its employees to resign.| All content on Seirdy’s Home
This also combines really well with the Publish on your Own Site, Syndicate Elsewhere (POSSE) principle. Often, a post of mine syndicates well to multiple destinations. I might reply to a forum on my site and syndicate it to both that forum and to the Fediverse. People reply in both places, and Webmentions aggregate them together on my site (though I often have to send myself those mentions). I only have to write something once.| All content on Seirdy’s Home
I love this blog post. Thank you for writing it. I must add one thing: every accessibility audit needs to test with forced colors. Countless sites claim to be accessible but fail this basic check.| All content on Seirdy’s Home
Synapse is incredibly slow, which is why I run the Conduit matrix server. Server performance is the main price paid for Matrix’ history replication.| All content on Seirdy’s Home
I just learned that dedicated IndieWeb clients do exist! Sharing for those less familiar:| All content on Seirdy’s Home
A demonstration page to help diagnose Content-Security-Policy issues in browser software.| All content on Seirdy’s Home
This is an idea I’ve seen repeated before. I need to push back on it.| All content on Seirdy’s Home
Progressive enhancement is a wonderful thing. I try to make sites usable in browsers of that era (with a TLS terminator) despite using several HTML 5 and bleeding-edge CSS features. Every feature possible should be progressive.| All content on Seirdy’s Home
The Accessible Platform Architectures (APA) working group hopes to designate adapt- as a reserved prefix in HTML 5. You can read the draft proposal on the public-adapt mailing list.| All content on Seirdy’s Home
It doesn’t make sense to blatantly violate WCAG (especially at the “A” level!) just because big companies do. The companies you cite know they won’t get sued over link underlines, even though removing them without replacement is an accessibility hazard. Every time someone jumps onto Flutter because Google said it’s accessible, I feel tempted to file yet another accessibility issue.| All content on Seirdy’s Home
Speaking generally: I think most website security scanners (Webbkoll, Observatory, et al) lend themselves to cargo-cults. You don’t need most Content Security Policy directives for a PNG file, for instance. Warning against a missing X-Frame-Options feels wrong: even the latest version of iOS 9—the oldest iOS release to support secure TLS 1.2 ECDSA ciphers—seems to support frame-ancestors (correct me if I’m wrong).| All content on Seirdy’s Home
Earlier this month, Google re-branded its WebP2 repository to clarify that WebP 2 will not be released as an image format.. This week, Google deprecated Chromium’s off-by-default JPEG-XL support, citing a lack of interest and improvement over existing formats. Most commits to libjxl, the reference JPEG-XL implementation, are from “google.com” email addresses; I imagine that this decision could impact libjxl development.| All content on Seirdy’s Home
I use nginx-quic with BoringSSL without issue, although I did have to use a separate script to manage the OCSP cache. The script manages the cache better than Nginx ever did, so I recommend it; it should be trivial to switch it from OpenSSL to LibreSSL.| All content on Seirdy’s Home
Assuming we have transit encryption, the main result of Border Gateway Patrol (BGP) errors is mass downtime. Downtime for a typical service is a headache; downtime for a CA can be disastrous. BGP hijacking also enables certificate mis-issuance by messing with weak domain control validation. Route authorization is an important mitigation!| All content on Seirdy’s Home
Three reasons to declare a font size in a page’s CSS:| All content on Seirdy’s Home
Many open standards can support profile hydration:| All content on Seirdy’s Home
SVCB DNS resource records (RRs) were introduced somewhat recently. They inform user-agents that a given resource exists at another endpoint, possibly with extra| Seirdy’s Home
There is no such agreement on the web: On the users’s end, we don’t have advance notice that a link destination will contain malware (such as ads). The page has| Seirdy’s Home
The Web is not built around advance informed consent; there’s no agreement to terms before downloading a public file (besides basic protocol negotiations). This| Seirdy’s Home
Search engine indexes like Google, Yandex, and Bing now favor mobile-friendly sites. This has encouraged many sites to invest in mobile-friendliness. If we| Seirdy’s Home