Meta:: describe 0-RTT adoption

This gives files much smaller fingerprints, and supports caching.

Makefile

@@ -189,5 +189,5 @@ lint-and-deploy-staging:
 deploy-envs:
 	@$(MAKE) HUGO_FLAGS='--gc --ignoreCache' USER=seirdy@envs.net WWW_ROOT=/home/seirdy/public_html GEMINI_ROOT=/home/seirdy/public_gemini HUGO_BASEURL='https://envs.net/~seirdy/' OUTPUT_DIR=public_envs xhtmlize
 	@$(MAKE) HUGO_FLAGS='--gc --ignoreCache' USER=seirdy@envs.net WWW_ROOT=/home/seirdy/public_html GEMINI_ROOT=/home/seirdy/public_gemini HUGO_BASEURL='https://envs.net/~seirdy/' OUTPUT_DIR=public_envs copy-to-xhtml
-	@$(MAKE) HUGO_FLAGS='' USER=seirdy@envs.net WWW_ROOT=/home/seirdy/public_html GEMINI_ROOT=/home/seirdy/public_gemini HUGO_BASEURL='https://envs.net/~seirdy/' OUTPUT_DIR=public_envs html-validate validate-html validate-json validate-feeds
+	@$(MAKE) HUGO_FLAGS='' USER=seirdy@envs.net WWW_ROOT=/home/seirdy/public_html GEMINI_ROOT=/home/seirdy/public_gemini HUGO_BASEURL='https://envs.net/~seirdy/' OUTPUT_DIR=public_envs validate-html validate-json validate-feeds
 	@$(MAKE) SSHFLAGS='-o KexAlgorithms=curve25519-sha256@libssh.org' HUGO_FLAGS='' USER=seirdy@envs.net WWW_ROOT=/home/seirdy/public_html GEMINI_ROOT=/home/seirdy/public_gemini HUGO_BASEURL='https://envs.net/~seirdy/' OUTPUT_DIR=public_envs deploy

assets/manifest.webmanifest

@@ -1,8 +1,8 @@
-{{- $192png := resources.Get "/favicon192.png" | resources.Fingerprint "md5" }}
+{{- $192png := partialCached "cache-bust.html" "/favicon192.png" "favicon192.png" }}
-{{- $512png := resources.Get "/favicon512.png" | resources.Fingerprint "md5" }}
+{{- $512png := partialCached "cache-bust.html" "/favicon512.png" "favicon512.png" }}
-{{- $1024svg := resources.Get "/favicon.svg" | resources.Fingerprint "md5" }}
+{{- $1024svg := partialCached "cache-bust.html" "/favicon.svg" "/favicon.svg" }}
-{{- $maskablesvg := resources.Get "/maskable_android.svg" | resources.Fingerprint "md5" -}}
+{{- $maskablesvg := partial "cache-bust.html" "/maskable_android.svg" }}
-{{- $monochromesvg := resources.Get "/monochrome.svg" | resources.Fingerprint "md5" -}}
+{{- $monochromesvg := partial "cache-bust.html" "/monochrome.svg" }}
 {
 	"name": "{{site.Title}}",
 	"short_name": "Seirdy",

content/meta/_index.md

@@ -82,7 +82,9 @@ Awards and badges
 
 <figcaption itemprop="caption">
 
-[Internet.nl](https://internet.nl/) offers an automated website security check. Relevant buzzwords include IPv6, DNSSEC, TLS, HTTP security headers, and RPKI. [See a report for seirdy.one](https://internet.nl/site/seirdy.one/1745918/).
+[Internet.nl](https://internet.nl/) offers an automated website security check. Relevant buzzwords include IPv6, DNSSEC, TLS, HTTP security headers, and RPKI. [See a report for seirdy.one](https://internet.nl/site/seirdy.one/2510940/).
+
+Internet.nl penalizes the use of [0-RTT](https://blog.cloudflare.com/introducing-0-rtt/) because it opens sites up to replay attacks. Since passing the test, I moved all non-idempotent content to other subdomains. Save for some fancy Nginx redirects, everything on the `seirdy.one` domain is static public content. This property made it safe to enable 0-RTT without being at risk of replay attacks. As of right now, I don't pass the test, but I consider the 0-RTT failure to be a false positive.
 
 </figcaption>
 

layouts/_default/404.html

@@ -17,7 +17,7 @@
 <meta name="robots" content="noindex,nofollow,nosnippet" />
 <title>{{ .Title }}</title>
 {{ if not (in site.BaseURL ".onion") -}}
-{{ $icon_svg := resources.Get "/favicon.svg" | resources.Fingerprint "md5" }}
+{{ $icon_svg := partialCached "cache-bust.html" "/favicon.svg" "/favicon.svg" }}
 {{- printf `<link rel="icon" sizes="any" href="%s" type="image/svg+xml" />` $icon_svg.RelPermalink | safeHTML }}
 {{- end }}
 {{ $icon_192 := resources.Get "/favicon192.png" | resources.Fingerprint "md5" }}

layouts/_default/list.atom.xml

@@ -9,9 +9,9 @@
 {{- if eq .Section "notes" -}}
 	{{- $period = "hourly" -}}
 {{- end -}}
-{{- $faviconSvg := resources.Get "/favicon.svg" | resources.Fingerprint "md5" -}}
+{{- $faviconSvg := partialCached "cache-bust.html" "/favicon.svg" "/favicon.svg" -}}
-{{- $image := resources.Get "/favicon192.png" | resources.Fingerprint "md5" -}}
+{{- $image := partialCached "cache-bust.html" "/favicon192.png" "/favicon192.png" -}}
-{{- $atomLogo := resources.Get "/atom.svg" | resources.Fingerprint "md5" -}}
+{{- $atomLogo := partial "cache-bust.html" "/atom.svg" -}}
 {{- /*rejected http://backend.userland.com/creativeCommonsRssModule, as it's completely redundant with <rights> and rel-license. */ -}}
 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
 <feed
@@ -93,7 +93,7 @@
 		<activity:object-type>http://activitystrea.ms/schema/1.0/{{ $type }}</activity:object-type>
 		<activity:verb>http://activitystrea.ms/schema/1.0/post</activity:verb>
 		{{- with .Params.image -}}
-		{{- $image = resources.Get (printf "/p/%s" . ) | resources.Fingerprint "md5" -}}
+			{{- $image := partial "cache-bust.html" (printf "/p/%s" . ) -}}
 		{{- end -}}
 		<media:thumbnail url="{{ $image.Permalink }}" width="{{ $image.Width }}" height="{{ $image.Height }}" />
 		{{ with .Description -}}

layouts/partials/cache-bust.html

@@ -0,0 +1,5 @@
+{{ $resource := resources.Get . -}}
+{{- $target_path_formatStr := (replaceRE `(\.[^\.]*)$` ".%d$1" .) -}}
+{{- $cacheBuster := $resource.Content | crypto.FNV32a -}}
+{{- $target_path := printf $target_path_formatStr $cacheBuster -}}
+{{- return resources.Copy $target_path $resource -}}

layouts/partials/head.html

@@ -55,10 +55,10 @@
 	{{- end -}}
 	<!--the Tor Browser's safest setting disables SVGs but still downloads them to avoid fingerprinting-->
 	{{ if not (in site.BaseURL ".onion") -}}
-	{{ $icon_svg := resources.Get "/favicon.svg" | resources.Fingerprint "md5" }}
+	{{ $icon_svg := partialCached "cache-bust.html" "/favicon.svg" "/favicon.svg" }}
 	{{- printf `<link rel="icon" sizes="any" href="%s" type="image/svg+xml" />` $icon_svg.RelPermalink | safeHTML }}
 	{{- end }}
-	{{ $icon_192 := resources.Get "/favicon192.png" | resources.Fingerprint "md5" }}
+	{{ $icon_192 := partialCached "cache-bust.html" "/favicon192.png" "/favicon192.png" }}
 	{{- printf `<link rel="icon" sizes="192x192" href="%s" type="image/png" />` $icon_192.RelPermalink | safeHTML -}}
 	<meta name="color-scheme" content="light dark" />
 	<meta name="format-detection" content="telephone=no" /><!-- Why does apple do this -->
@@ -70,10 +70,10 @@
 	<meta property="og:type" content="article" />
 	{{- end -}}
 	<!-- ANOTHER meta image?! When will it end? -->
-	{{- $og_image := resources.Get "/favicon512.png" | resources.Fingerprint "md5" -}}
+	{{- $og_image := partialCached "cache-bust.html" "/favicon512.png" "/favicon512.png" -}}
 	{{- $og_image_alt := "" -}}<!--Default open graph image is purely decorative and visual, so it should be hidden from assistive technologies.-->
 	{{- with .Params.image -}}
-		{{- $og_image = resources.Get (printf "/p/%s" . ) | resources.Fingerprint "md5" -}}
+		{{- $og_image = partial "cache-bust.html" (printf "/p/%s" .) -}}
 	{{- end -}}
 	{{- with .Params.image_alt -}}
 		{{- $og_image_alt = . -}}

layouts/shortcodes/audio.html

@@ -21,14 +21,14 @@
 	>
 	{{ with $opus -}}
 	{{- $download_url = $opus.RelPermalink -}}
-	{{ $opus_src := . | resources.Fingerprint "md5" -}}
+	{{ $opus_src := partial "cache-bust.html" . -}}
 	<source
 		src="{{ $opus_src.RelPermalink }}"
 		type='audio/ogg; codecs="opus"' />
 	{{ end -}}
 	{{ with $mp3 -}}
 	{{- $download_url = $mp3.RelPermalink -}}
-	{{ $mp3_src := . | resources.Fingerprint "md5" -}}
+	{{ $mp3_src := partial "cache-bust.html" . -}}
 	<source
 		src="{{ $mp3_src.RelPermalink }}"
 		type="audio/mpeg" />

layouts/shortcodes/indieweb-author.html

@@ -1,5 +1,4 @@
-{{- $favicon := resources.Get "/favicon.png" -}}<!-- re-using the favicon for the author photo -->
+<!-- re-using the favicon for the author photo
-{{- $favicon_base64 := $favicon.Content | base64Encode -}}<!--
 	Reader mode implementations use .p-author, itemprop=author, and/or .author to add
 	a byline. Some also strip elements matching the "byline" class to avoid duplicating
 	the byline. Mozilla Readability uses both microformats1 and microformats2 while

layouts/shortcodes/indieweb-icon.html

@@ -1,10 +1,10 @@
-{{ $favicon := resources.Get "/favicon.png" -}}
+{{- $src := "" -}}
-{{- $favicon_base64 := $favicon.Content | base64Encode -}}
-{{- $favicon_svg := resources.Get "/favicon.svg" | resources.Fingerprint "md5" -}}
 {{- if in site.BaseURL ".onion" -}}
-<img itemprop="image" width="16" height="16" alt=""
+{{- $favicon := resources.Get "/favicon.png" -}}
-	src="data:image/png;base64,{{ $favicon_base64 }}" class="u-photo photo" />
+{{- $favicon_base64 := $favicon.Content | base64Encode -}}
+{{- $src = printf "data:image/png;base64,%s" $favicon_base64 -}}
 {{- else -}}
-<img itemprop="image" width="16" height="16" alt=""
+{{- with (partialCached "cache-bust.html" "/favicon.svg" "/favicon.svg") -}}
-	src="{{ $favicon_svg.Permalink }}" class="u-photo photo" />
+{{- $src = .Permalink -}}
-{{- end }}
+{{- end -}}{{- end -}}
+<img itemprop="image" width="16" height="16" alt="" src="{{ $src }}" class="u-photo photo" />

layouts/shortcodes/picture.html

@@ -32,7 +32,7 @@
 <picture>
 	{{- if not (in site.BaseURL ".onion") -}}
 	{{ with $dark_svg -}}
-	{{ $dark_svg_src := . | resources.Fingerprint "md5" -}}
+	{{ $dark_svg_src := partial "cache-bust.html" . -}}
 	<source
 		srcset="{{ $dark_svg_src.RelPermalink }}"
 		type="image/svg+xml"
@@ -40,28 +40,28 @@
 	{{ end -}}
 	{{ end -}}
 	{{ with $dark_jxl -}}
-	{{ $dark_jxl_src := . | resources.Fingerprint "md5" -}}
+	{{ $dark_jxl_src := partial "cache-bust.html" . -}}
 	<source
 		srcset="{{ $dark_jxl_src.RelPermalink }}"
 		type="image/jxl"
 		media="screen and (prefers-color-scheme: dark)" />
 	{{ end -}}
 	{{ with $dark_avif -}}
-	{{ $dark_avif_src := . | resources.Fingerprint "md5" -}}
+	{{ $dark_avif_src := partial "cache-bust.html" . -}}
 	<source
 		srcset="{{ $dark_avif_src.RelPermalink }}"
 		type="image/avif"
 		media="screen and (prefers-color-scheme: dark)" />
 	{{ end -}}
 	{{ with $dark_webp -}}
-	{{ $dark_webp_src := . | resources.Fingerprint "md5" -}}
+	{{ $dark_webp_src := partial "cache-bust.html" . -}}
 	<source
 		srcset="{{ $dark_webp_src.RelPermalink }}"
 		type="image/webp"
 		media="screen and (prefers-color-scheme: dark)" />
 	{{ end -}}
 	{{ with $orig_img_dark -}}
-	{{ $orig_dark_src := . | resources.Fingerprint "md5" -}}
+	{{ $orig_dark_src := partial "cache-bust.html" . -}}
 	<source
 		srcset="{{ $orig_dark_src.RelPermalink }}"
 		type="{{ $orig_img_dark_type }}"
@@ -69,31 +69,31 @@
 	{{ end -}}
 	{{- if not (in site.BaseURL ".onion") -}}
 	{{ with $light_svg -}}
-	{{ $light_svg_src := . | resources.Fingerprint "md5" -}}
+	{{ $light_svg_src := partial "cache-bust.html" . -}}
 	<source
 		srcset="{{ $light_svg_src.RelPermalink }}"
 		type="image/svg+xml" />
 	{{ end -}}
 	{{ end -}}
 	{{ with $light_jxl -}}
-	{{ $light_jxl_src := . | resources.Fingerprint "md5" -}}
+	{{ $light_jxl_src := partial "cache-bust.html" . -}}
 	<source
 		srcset="{{ $light_jxl_src.RelPermalink }}"
 		type="image/jxl" />
 	{{ end -}}
 	{{ with $light_avif -}}
-	{{ $light_avif_src := . | resources.Fingerprint "md5" -}}
+	{{ $light_avif_src := partial "cache-bust.html" . -}}
 	<source
 		srcset="{{ $light_avif_src.RelPermalink }}"
 		type="image/avif" />
 	{{ end -}}
 	{{ with $light_webp -}}
-	{{ $light_webp_src := . | resources.Fingerprint "md5" -}}
+	{{ $light_webp_src := partial "cache-bust.html" . -}}
 	<source
 		srcset="{{ $light_webp_src.RelPermalink }}"
 		type="image/webp" />
 	{{ end -}}
-	{{ $orig_src := $orig_img | resources.Fingerprint "md5" -}}
+	{{ $orig_src := partial "cache-bust.html" $orig_img -}}
 	<source
 		srcset="{{ $orig_src.RelPermalink }}"
 		type="{{ $orig_img_type }}" />

scripts/xhtmlize-single-file.sh

@@ -47,6 +47,7 @@ sed 7d "$html_file" | run_xmllint | tail -n +2 >"$tmp_file"
 		-e '1,7d' \
 		-e 's|</span><span itemprop="familyName"|</span>\&#160;<span itemprop="familyName"|' \
 		-e 's|class="u-photo photo"[^<]*<|class="u-photo photo"/> <|' \
+		-e 's|<pre>|<pre tabindex="0">|' \
 		-E \
 		-e 's|([a-z])<data|\1 <data|' \
 		-e 's#</span>(<a[^>]*rel="(nofollow ugc|ugc nofollow)"([^>]*)?>liked</a>)#</span> \1#' \