I like to preview my statically generated site (Octopress/Jekyll) on my local machine or an internal server before deploying to the public server. Is it possible to test talkyard.net hosted comments in such a setup?
KajMagnus @KajMagnus2018-04-19 14:18:43.017Z2018-04-21 06:54:20.004ZYes, in the admin area of the embedded comments site (i.e.
https://comments-for-....talkyard.net) there's this setting:Allow embedding from(in the Settings tab, the Embedded Comments sub tab). Edit it and addhttp://localhost:4000e.g.:https://your.blog.com http://localhost:4000Then you can show the embedded comments, both at
your.blog.comand also in a local Jekyll server atlocalhost:4000.EDIT: 4000 above should be the port that the local web server listens on. Maybe it listens on port 8000 not 4000 — then, add
http://localhost:8000instead. (I wrote 4000 because apparently that's what Jekyll listens on by default)- DJason @detly
Makes sense! Although could be a security issue while it's enabled — anyone can control their own
localhost:4000even when they can't control my real domain. (Perhaps solvable by having a private token forlocalhostusage? I'm not sure.) But it'll work for now, thanks.
KajMagnus @KajMagnus2018-04-21 06:53:00.054ZInteresting question. If someone starts a local server on
localhost:4000and embeds your comments, s/he won't be able to see anything more than what's publicly available via your real website / blog already. So, normally (& in your case), this is not a problem.If however one has a blog that is hidden behind a login screen — then, the embedded comments would still be accessible via
https://comments-for- ... .talkyard.net(and could be embedded on someone'slocalhost:4000website too). One would then need to edit the Talkyard admin settings and make the comments site private, visible only after login. But currently this wouldn't integrate well with the login system used by the blog. I'd need to add single-sign-on functionality.- DJason @detly
Hah, I thought of a different threat model: if you've got a predictable post URL (eg. date based) then someone could post a bunch of spammy comments before you publish (especially bad if you schedule publishing for later and aren't keeping an eye on it).
- KajMagnus @KajMagnus2018-04-21 11:08:38.186Z2018-04-21 11:19:31.420Z
Ok yes that seems like a security issue. (And a minor one, I'd say, in comparison to other things that might happen, e.g. personal data leaks.) ... Edit: Hmm, (10 min later) or, no... I don't think it is, look at the "on the other hand" text I appended at the end of this comment. /Edit
Another way someone could get to know about the URL for a future post, could be if there's a company, and someone says "We've scheduled auto-publishing of a post about ...., on Friday night, here: http://....." and then an angry employee posts angry-kittens pics at that URL.
I think this can be done also without
http://localhost:4000I think — if one e.g. edits one'shostsfile and maps the embedding server address to 127.0.0.1. Then one can open that address in a localhost server & browser, and post comments to the URL.Also via
cURLone can post comments to new URLs. (One then need to login in to Talkyard, and copy one's session cookie and include in the cURL request.)One way to stop this, could be if the Talkyard server checks if there is actually a page at the embedding URL. Do you have any thoughts about that? Or additional ideas? Or happen to know how any other commenting system deals with this (if they do)? (I searched for sth like "disqus post to non-existing url" but found nothing)
Edit: Hmm on the other hand, if such a check was added, or this was "solved" in some other way... Someone could still just write a bot, that waits until the page appears and then posts the comments. Maybe the real solution to this, is instead moderator approval of everyone's first few comments. And that's already supported.
- DJason @detly
Yeah, the more I think about it the more I think there's not a threat that makes sense. I have no idea how Disqus does it, and for all I know they don't (as in, maybe you could embed someone else's comments section on your own page, just to... confuse everyone?). I do know I never had to configure Disqus specially to allow access from
localhost.
- In reply todetly⬆:KajMagnus @KajMagnus2018-05-01 06:32:38.359Z
You can also test Talkyard on your local laptop static site, without creating a Talkyard account at all:
There's a Talkyard comments site, intended for testing:
https://comments-demo.talkyard.io, which lets you embed it from anywhere, e.g. from localhost.When you configure the embedded comments, set the Talkyard server URL to
https://comments-demo.talkyard.io, and you'll see how Talkyard looks, for you.However you won't be able to change things like the background color — because you're not an admin at the demo site. To change colors & things, you need to create your own site.
Example: if you copy-paste the HTML below into a plain text file, with a
.htmlsuffix, and show it in a local web server on localhost, the Talkyard comments will load:<html> <head><title>Embedded comments test</title></head> <body style="background: #292929; color: #eee; font-family: monospace"> <p> Talkyard embedded comments test page. A reply button should appear below, against a white background: </p> <script>talkyardServerUrl='https://comments-demo.talkyard.io';</script> <script async defer src="https://comments-demo.talkyard.io/-/talkyard-comments.min.js"></script> <!-- You can specify a per page discussion id on the next line, if your URLs might change. --> <div class="talkyard-comments" data-discussion-id="" style="margin-top: 45px;"> <noscript>Please enable Javascript to view comments.</noscript> <p style="margin-top: 25px; opacity: 0.9; font-size: 96%">Comments powered by <a href="https://www.talkyard.io">Talkyard</a>.</p> <p>End of page.</p> </body> </html>