Don't brotli-compress the Tor hidden service

The Tor hidden service does not use TLS, so it doesn't use HTTP/2 or
HTTP/3. Therefore, it can't use Brotli; statically-compressing Brotli
content is just wasted CPU cycles.

Makefile

@@ -18,8 +18,6 @@ RSYNCFLAGS_EXTRA ?=
 # compression gets slow for extreme levels like the old "70109"
 ECT_LEVEL=9
 
-VNU ?= vnu
-
 csv/webrings.csv:
 	sh scripts/populate-webrings.sh
 
@@ -60,7 +58,7 @@ validate-json:
 
 .PHONY: validate-html
 validate-html:
-	$(VNU) --stdout --format json --skip-non-html --also-check-svg $(OUTPUT_DIR) | sh scripts/filter-vnu.sh
+	sh scripts/vnu.sh $(OUTPUT_DIR)
 
 .PHONY: htmlproofer
 htmlproofer:
@@ -149,10 +147,11 @@ deploy-prod: .prepare-deploy
 	@$(MAKE) copy-to-xhtml
 	@$(MAKE) deploy
 
+# hidden service doesn't need brotli
 .PHONY: deploy-onion
 deploy-onion:
 	@$(MAKE) WWW_ROOT=/var/www/seirdy.onion HUGO_BASEURL='http://wgq3bd2kqoybhstp77i3wrzbfnsyd27wt34psaja4grqiezqircorkyd.onion/' OUTPUT_DIR=public_onion .prepare-deploy
-	@$(MAKE) WWW_ROOT=/var/www/seirdy.onion HUGO_BASEURL='http://wgq3bd2kqoybhstp77i3wrzbfnsyd27wt34psaja4grqiezqircorkyd.onion/' OUTPUT_DIR=public_onion compress
+	@$(MAKE) WWW_ROOT=/var/www/seirdy.onion HUGO_BASEURL='http://wgq3bd2kqoybhstp77i3wrzbfnsyd27wt34psaja4grqiezqircorkyd.onion/' OUTPUT_DIR=public_onion gzip
 	@$(MAKE) WWW_ROOT=/var/www/seirdy.onion HUGO_BASEURL='http://wgq3bd2kqoybhstp77i3wrzbfnsyd27wt34psaja4grqiezqircorkyd.onion/' OUTPUT_DIR=public_onion copy-to-xhtml
 	@$(MAKE) WWW_ROOT=/var/www/seirdy.onion HUGO_BASEURL='http://wgq3bd2kqoybhstp77i3wrzbfnsyd27wt34psaja4grqiezqircorkyd.onion/' OUTPUT_DIR=public_onion deploy-html
 

content/meta/privacy.md

@@ -8,6 +8,8 @@ date: "2022-04-06T00:00:00+00:00"
 Summary
 -------
 
+Basically, I don't track you.
+
 - I only collect default server logs.
 - I purge server logs regularly, except for some robot traffic.
 - Searches are powered by the Search My Site API.
@@ -65,11 +67,11 @@ These services currently run on, but do not necessarily endorse, virtual private
 
 Log entries will persist for between two and three days. Purges of server logs occur every day at <time datetime="00:00:00">00:00 UTC</time>
 
-Before purging, I may preserve the "User-Agent" request headers of agents that clearly identify as bots.
+Before purging, I may preserve the "User-Agent" request headers of agents that clearly identify as robots.
 
 ### How I use your information
 
-I use server logs to detect <abbr title="Denial of Service">DoS</abbr> attacks, misbehaving bots, and search engines to add to [my public collection](../../posts/2021/03/10/search-engines-with-own-indexes/).
+I use server logs to detect <abbr title="Denial of Service">DoS</abbr> attacks, misbehaving bots, and search engines to add to [my public collection]({{<relref "/posts/search-engines-with-own-indexes.md">}}).
 
 Information I share
 -------------------
@@ -101,9 +103,12 @@ By default, web browsers can share near-arbitrary identifying data with a server
 
 By default, user agents using HTTPS may contact a certificate authority to check the revocation status of an TLS certificate. I have disabled and replaced this behavior by including an "OCSP Must-Staple" directive in the TLS certificates used by my Web servers.
 
+By default, web browsers can speculatively make DNS queries for domains linked on a page, potentially leaking information about the current page to a DNS server. I send an `X-DNS-Prefetch-Control: off` header to disable this when possible; it's respected by Chromium, Firefox, and derivatives.
+
 By default, user agents using HTTP or HTTPS may share a "referring" location with the destination website when following a link. I have disabled this by sending a `Referrer-Policy: no-referrer` header. One exception is links on the home page's "Webrings" section; some of these require a referring domain to function.
 
 By default, Web browsers may share characteristics about the user's hardware, connection type, and personalizations using Client Hints and media queries. Browsers may request Web content conditionally, in response to a `media` attribute in (X)HTML documents. Browsers may leverage stylesheets that use media queries to select varying `background-image` files. No Web content on seirdy.one will send network traffic in response to media queries except <code>prefers-color-<wbr />scheme</code>, assuming the use of a standards-compliant browser. Media queries and client hints will have no impact on HTTP responses except for dark image variants. This is a single binary piece of information that isn't enough to let me realistically identify anyone.
 
 By default, many networks and Internet service providers often alter requests by redirecting them or injecting content. I have prevented this behavior by using a secure TLS cipher suite.
 
+By default, most web browsers connect to a website over insecure HTTP when users don't specify don't specify a URL scheme; this is frequently exploited by hostile networks to inject content or re-direct traffic. I mitigate this to the extent I can by using a `Strict-Transport-Security` header, participating in HSTS-Preload lists, and adding an HTTPS DNS record for HTTP/2 and HTTP/3 DNS-based APLN.

layouts/partials/webmentions.html

@@ -1,4 +1,4 @@
-{{- $wbmLinks := (slice "https://si3t.ch/log/2021-04-18-entetes-floc.html" "https://xmpp.org/2021/02/newsletter-02-feburary/" "https://gurlic.com/technology/post/393626430212145157" "https://gurlic.com/technology/post/343249858599059461" "https://www.librepunk.club/@penryn/108411423190214816" "https://benign.town/@josias/108457015755310198" "http://www.tuxmachines.org/node/148146" "https://i.reddit.com/r/web_design/comments/k0dmpj/an_opinionated_list_of_best_practices_for_textual/gdmxy4u/" "https://bbbhltz.space/posts/thoughts-on-tech-feb2021/") -}}
+{{- $wbmLinks := (slice "https://si3t.ch/log/2021-04-18-entetes-floc.html" "https://xmpp.org/2021/02/newsletter-02-feburary/" "https://gurlic.com/technology/post/393626430212145157" "https://gurlic.com/technology/post/343249858599059461" "https://www.librepunk.club/@penryn/108411423190214816" "https://benign.town/@josias/108457015755310198" "http://www.tuxmachines.org/node/148146" "https://i.reddit.com/r/web_design/comments/k0dmpj/an_opinionated_list_of_best_practices_for_textual/gdmxy4u/" "https://bbbhltz.space/posts/thoughts-on-tech-feb2021/" "https://jorts.horse/@alice/108477866954580532") -}}
 <hr />
 <section aria-labelledby="webmentions">
 		<h2 id="webmentions" tabindex="-1">Web&#173;mentions</h2>

linter-configs/htmltest.yml

@@ -51,4 +51,5 @@ IgnoreURLs:
   # - "https://forum.kuketz-blog.de/viewtopic.php?p=78202" # manual check: blocks crawlers
   - "https://forum.kuketz-blog.de/viewtopic.php"
   - "https://web.archive.org/web/0/http" # the wayback machine itself.
+  - "https://webring.yesterweb.org/noJS/index.php" # Seems to block htmltest; check manually
 OutputDir: "linter-configs/htmltest"

linter-configs/vnu_filter.jq

@@ -21,10 +21,6 @@
 			( # see https://github.com/w3c/css-validator/issues/370
 				.message == "CSS: “contain”: “inline-size” is not a “contain” value."
 			)
-			or
-			( # the search page has raw templates, let those slide. I validate the final dynamic search page manually.
-				.url | test ("/search/index.")
-			)
 		) | not
 	)
 ) | del(..|select(. == [])) | del(..|select(. == {})) | select(. != null)

scripts/vnu.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e -u
+pwd="$(dirname "$0")"
+output_dir="$1"
+
+files_to_analyze() {
+	find "$output_dir" -type f -name '*.html' -o -name '*.svg' \
+		| grep -Ev '(bimi\.svg|search/index\.x?html)$'
+}
+
+# we skip the BIMI icon (VNU can't handle SVG 1.2) and the search page (it has raw templates).
+vnu \
+	--stdout \
+	--format json \
+	--also-check-svg \
+	$(files_to_analyze) \
+	| sh "$pwd/filter-vnu.sh"

static/bimi.svg

@@ -0,0 +1 @@
+<svg version="1.2" baseProfile="tiny-ps" height="1024" width="1024" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1024 1024"><title>Seirdy</title><path d="m0 0h1024v1024h-1024z"/><path d="M348.4 721.7q-15.4 0-30-4.6t-25.3-15.4q-10.8-10.8-15.4-25.3-4.6-14.6-4.6-30t4.6-30q4.6-14.6 15.4-25.3 10.8-10.8 25.3-15.4 14.6-4.6 30-4.6t30 4.6q14.6 4.6 25.3 15.4 10.8 10.8 15.4 25.3 4.6 14.6 4.6 30t-4.6 30q-4.6 14.6-15.4 25.3-10.8 10.8-25.3 15.4-14.6 4.6-30 4.6zm0-268.8q-15.4 0-30-4.6t-25.3-15.4q-10.8-10.8-15.4-25.3-4.6-14.6-4.6-30t4.6-30q4.6-14.6 15.4-25.3 10.8-10.8 25.3-15.4 14.6-4.6 30-4.6t30 4.6q14.6 4.6 25.3 15.4 10.8 10.8 15.4 25.3 4.6 14.6 4.6 30t-4.6 30q-4.6 14.6-15.4 25.3-10.8 10.8-25.3 15.4-14.6 4.6-30 4.6zM654.8 873l-58.4-44.5q45.3-53.8 64.5-107.5-17.7-2.3-33-12.3-14.6-10.8-21.5-27.6-6.1-16.9-6.1-34.6 0-15.4 4.6-30t15.4-25.3q10.8-10.8 25.3-15.4 14.6-4.6 30-4.6t30 4.6q14.6 4.6 25.3 15.4 10.8 10.8 15.4 25.3 4.6 14.6 4.6 30v3.8q-1.5 111.4-96 222.7zm20.7-420.1q-15.4 0-30-4.6t-25.3-15.4q-10.8-10.8-15.4-25.3-4.6-14.6-4.6-30t4.6-30q4.6-14.6 15.4-25.3 10.8-10.8 25.3-15.4 14.6-4.6 30-4.6t30 4.6q14.6 4.6 25.3 15.4 10.8 10.8 15.4 25.3 4.6 14.6 4.6 30t-4.6 30q-4.6 14.6-15.4 25.3-10.8 10.8-25.3 15.4-14.6 4.6-30 4.6z" fill="#fff"/></svg>