RFCs for Dash.app

I recently (re)discovered Dash, an OS X application that provides offline access to a number of popular documentation sets. I had done something similar myself many years ago by mirroring the php.net website locally, but Dash provides a much better UI, provides good search functionality, and integrates nicely with text editors and launchers like Alfred. For me, having the offline access during my daily commute, as well as the ability to search directly from Alfred made this well worth the twenty bucks it costs.

One documentation set that was missing however was RFCs published by the IETF. I regularly find myself wanting to reference the specifications for things like HTTP, timestamps, or URIs. So this week I put together a Dash docset that includes every published RFC, indexed and marked up so that Dash can display tables of contents. It looks something like this:


It’s certainly not small… the expanded archive weighs a little over 500 MB. But it’s really nice to have readily available if you reference RFCs a lot. You can install the docset directly into Dash or find it on GitHub.

Using HSTS with HTTP requests

At IndieWebCamp this last weekend, Ryan Barrett noted that he serves both secure and non-secure traffic on snarfed.org, and that instead of redirecting non-secure URLs to their secure equivalents, he sends an HSTS header for all content. That way, browsers that understand HSTS will eventually start switching over to the secure version of his site. I thought this was certainly a clever way to maintain support for older browsers that don’t support SNI (IE on Windows XP, mainly), but I mentioned that I was pretty sure that you weren’t supposed to do that. I couldn’t remember where I read that, and it turns out it’s right out of RFC 6797 (section 7.2 to be exact):

An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

And this makes sense. The whole point of the header is to indicate to clients that they should always use a secure transport. If that’s true, then you shouldn’t ever send any content over non-secure channels. There’s no real way to indicate that a secure option is available and is preferable, but not force clients to use it.

Display likes in a facepile

This weekend I got webmentions working on my site again, and now thanks to brid.gy I have Twitter likes, Google +1s, etc feeding back into my site. By default though, they display as normal WordPress comments. Tonight, I got them displaying as a facepile. For example, see the bottom of my IndieWebCamp 2014 post.

There’s still more I’d like to do with the UI, and the code needs to be cleaned up quite a bit so I can start sending it upstream, but if anyone wants to take a look, here’s the interesting commit.

IndieWebCamp SF 2014

There’s only a couple of hours left in IndieWebCamp SF 2014, and it’s been a really productive weekend.

I mostly got Webmentions working last year, but my implementation wasn’t good enough that it stuck… I ending up disabling things before too long. This year, the WordPress plugin is in much better shape, I’m using a much better WordPress theme (Genesis), and brid.gy exists to bridge my site with various silos. Now, interactions on Google+, Facebook, and Twitter are retrieved by brid.gy, converted to webmentions, sent to my site, and stored as local comments. There’s still a little work to do to have likes and +1s to be displayed as a facepile, rather than a regular comment, but it’s definitely good enough for now.

We also spent a lot of time talking through the challenges of running a site with HTTPS, and what levels of SSL support people should try to achieve and where that fits in with IndieMark. I’m not sure if all the notes have made it into the wiki yet, but the etherpad from the session is here.

Finally, I really came to realize that we have a long way to go to make it easier for WordPress users to get set up on the indie web. Though I’m happy to report that Dan Gillmor, Scott Jenson, and Darius Dunlap also got their WordPress sites up and running with webmentions and brid.gy.