694 Matching Annotations
  1. Dec 2020
  2. Aug 2020
    1. Now you have the extension up and running. It's time to start annotating some documents.

      Quick test

  3. Jun 2020
  4. May 2020
  5. Apr 2020
    1. As long as expressions typed into the Web Console are side-effect free

      Does anyone know how "side-effect free" is determined?

  6. Mar 2020
  7. Feb 2020
    1. TPG is an accessibility solutions provider offering full-service accessibility consulting and a leading provider of accessibility monitoring and management software solutions.

      This is a test annotation.

    1. How likely are you to pop open the browser developer tools to look for an overzealous aria-label on a <div>-as-button-via-role-sans-keyboard-handler monstrosity to explain that the button you thought said “Submit” is the one the user hears as “Activate this button to submit this form,” all thanks to a well-meaning developer who thought it was necessary?

      Example of a problem caused by mismatched labels for different users.

    1. Safari Settings: Advanced > Accessibility > Press Tab to highlight each item on a webpage

      In Safari 13.0.5 on macOS 10.15:

    2. System Settings: Keyboard > Shortcuts > Full Keyboard Access > All controls

      I think this may be out of date. On macOS 10.15 (Catalina) I see no such option. However there is an option to enable keyboard navigation with a different label ("Use keyboard navigation...").

      System settings in macOS 10.15

  8. Jan 2020
    1. Should only be "Strict" or "Lax".

      What about setting the value to None for a cookie where it is specifically desired for the cookie to be available in a third-party context?

      Third-party cookies are eventually going away so perhaps that is not a viable option long term.

  9. Nov 2019
  10. Oct 2019

      Annotation on the second "RRID:WB-STRAIN" text


      Annotation on the first "RRID:WB-STRAIN" text.

  11. Aug 2019
  12. hypothesis-h5p.s3.us-east-2.amazonaws.com hypothesis-h5p.s3.us-east-2.amazonaws.com
    1. Hypothesis

      This is a demo of an H5P-enabled Hypothesis client. It also shows how OAuth can be used to create customized clients which talk to the Hypothesis backend.

      Go to the Page Notes for more details.

      <iframe src="https://h5p.org/h5p/embed/6725" width="1090" height="387" frameborder="0" allowfullscreen="allowfullscreen"></iframe><script src="https://h5p.org/sites/all/modules/h5p/library/js/h5p-resizer.js" charset="UTF-8"></script>

    1. The online teacher creates, selects, and organizes appropriate assignments and assessments to align curricular content with associated standards-based learning goals

      This is a test to investigate a Hypothesis bug report. See https://github.com/hypothesis/lms/issues/875

  13. May 2019
    1. Try it out!

      Hi Tom!

      Thanks for sharing your feedback on Hypothesis UX at iAnnotate this year.

      If you use the Hypothesis client with the “clean” theme I recommend using the data-hypothesis-trigger attribute to create a button or other affordance to open the sidebar. See https://h-client.readthedocs.io/en/latest/publishers/host-page-integration/ for details. This allows users to see comments without having to find a highlight.

  14. Apr 2019
    1. A caveat here is that the rewriting may add quite a lot of code to your bundle,

      See this GitLab issue for a real-world example of where this became a problem.

  15. Dec 2018
    1. AngularJS

      Since a few candidates have asked this, we're not wedded to Angular as a framework, but it was perceived as a sensible choice back in the early days of the project in 2013-2015. In more recent times we've had higher-priority technical issues to address.

      Setting the future technical direction and helping to implement it is part of the role.

  16. Oct 2018
    1. The simplest way to generate a private key and self-signed certificate for localhost is with this openssl command:

      Keys generated using this command are trusted by browsers (I've tested with Safari, Chrome, Firefox).

      I found that they were not trusted by SSL client libraries (eg. Python's ssl package or requests) which use openssl because the keyUsage setting is missing the keyCertSign flag.

      Changing the keyUsage= section to keyUsage=digitalSignature,keyCertSign resolved the problem.

      See also: https://stackoverflow.com/a/39536777/434243

  17. Jul 2018
  18. Jun 2018
    1. disable DoH

      Should this say enable DoH under all circumstances? Presumably the current default, mode 0, is always off anyway.

  19. May 2018
    1. and agree to them before you start annotating

      We added a link to the privacy policy, terms of service and community guidelines on the sign up page. We added a checkbox that you have to tick before you can sign up.

    2. For the Hypothesis website, we’ve taken new steps to anonymize the information we collect

      In practical terms this means that we turned on Google Analytics' IP anonymization feature which zeroes that last octet of your IP address.

  20. Apr 2018
    1. probably UTF-8

      Almost certainly UTF-8 on macOS and Linux. I'm not sure about Windows.

    2. What encoding are literal byte strings in?

      It wasn't clear to me after reading this, but -*- coding: utf-8 -*- comments are redundant in Python 3 because the default encoding of files is UTF-8.

    1. Before adding a new collaborator, they will need to generate a GPG key. GitHub has good instructions for doing this

      Steps for new developers to create public keys.

  21. biopub.hypothes.is biopub.hypothes.is
    1. Hypothesis admins can manage the members for a group in the admin dashboard at https://hypothes.is/admin/groups/

    1. it has been reported in 2008 but not yet being worked on by anyone.

      This issue has now been fixed.

  22. Mar 2018
    1. For security reasons, after you navigate off the page, you will not be able to see the token again.

      So if you forget your token, you'll need to generate a new one :)

    1. A high-level technical explanation of how Dropbox's PDF annotation interface is implemented.

      Quite interesting for Hypothesis.

  23. Feb 2018
  24. hypothesis-h5p.s3.us-east-2.amazonaws.com hypothesis-h5p.s3.us-east-2.amazonaws.com
    1. About this demo

      This is a test client which shows: 1) how to use OAuth to create customized Hypothesis clients and 2) is a prototype of support for H5P, a system for creating embed-able interactive content such as quizzes etc.

      To add a new annotation with H5P content:

      1. Log in to this client by clicking the Log In link and approve access when prompted.
      2. Go to https://h5p.org/ and find a piece of demo content.
      3. Click the "Embed" button at the bottom of any embed
      4. Copy and paste the embed code into a new annotation or Page Note on this page.

      Next, try creating your own interactive content on H5P.org and pasting embed links here.

      🤠 - H5P content is sandboxed to prevent malicious abuse. Some functionality may not be available. Let me know if you find issues.

      Contact me at robertknight@hypothes.is

  25. biopub.hypothes.is biopub.hypothes.is
    1. Welcome to the BioPub website 🔬.

      This is a demo site designed to show various aspects of how Hypothesis can be integrated by publishers into their articles.

      To learn more, have a look at the project's README on GitHub.

    1. The ULEZ standards are:

      See the table at https://www.rac.co.uk/drive/advice/emissions/euro-emissions-standards/ for a rough guide to what standard a vehicle meets based upon its date of registration.

  26. Jan 2018
    1. Tutorial: OAuth

      This page is about OAuth v1. Most web services, including Google APIs, now use OAuth v2 which is simpler in various respects. The documentation for that is https://developer.chrome.com/apps/app_identity

    1. Unfortunately not every database supports savepoints and SQLite is precisely one of those that doesn’t

      I'm not sure if this is still true, SQLite does have a SAVEPOINT command now. Whether SQLAlchemy supports it and whether there are any limitations with it I don't know.

    1. Transaction objects manage resources for an individual activity.

      For a more detailed introduction to the transaction package, see https://zodb.readthedocs.io/en/latest/transactions.html

  27. Dec 2017
  28. Nov 2017
    1. synchronously with the request

      We are trying to clarify in https://github.com/hypothesis/h/pull/4700#discussion_r153477745 whether search requests made after an index operation with refresh=true are guaranteed to see the change. My understanding from these docs is that this is true in ES 6.

      Anyone know about earlier versions?

    1. Running these queries on a field with many unique terms can be resource intensive indeed. Avoid using a pattern that starts with a wildcard (for example, *foo or, as a regexp, .*foo).
    1. Interesting article on gzip compression. It explains how to apply knowledge about how gzip (and specifically DEFLATE) compression works in order to generate source text that compresses better.

      A shame that the gzthermal tool is not open source at present.

    1. The Lot System is one such idea which has emerged from the movement

      See http://www.carolhanisch.org/CHwritings/Leadership.html for an explanation of how the "lot system" worked.

    2. rushed

      Coming from the UK where sororities / fraternities are not really a thing as far as I know, I had to look this up: https://en.wikipedia.org/wiki/Sorority_recruitment

    3. New Left

      A political movement from the 1960s and 1970s campaigning for social change and reform.


    4. as too threatening to have as close friends

      Why "threatening"?

    5. rap group

      A "consciousness raising group". See this article.

    1. The aforementioned Yelp reviews is already testing these boundaries with its Monocle feature

      The Wired article on the Monocle feature dates back to 2009. In 2017, it is still apparently a hidden feature in the Yelp app.

    2. A new batch of apps that allow users to create hidden graffiti using AR raises an important question about who is legally allowed to “tag” a place.

      So basically all the discussions we have had within Hypothesis about rights to write over web pages will be had, but this time applied to the real world.

  29. Oct 2017
  30. blog.twitter.com blog.twitter.com
    1. This article argues for the benefits of favoring integration ("feature") tests over unit tests. An opposing argument ("integration tests are a scam") is that reliance on integration tests is a bad idea because of the difficulty of covering all possible code paths with integration tests as opposed to unit tests.

      A half-way point between the two views is the concept of a testing pyramid which advocates having end-to-end, integration and unit tests, but with a larger number of the latter and a smaller number of the former.

    1. I actually just figured this out and it seems to be working.  I found this article:

      This might be useful for resolving an issue we have with Google Groups where replies made via Zendesk to support requests originating from emails to a Google Groups forum only go to the original user and do not appear on the Google Groups mailing list.

    1. It is also possible to filter all events for the entire application, by installing an event filter on the QApplication or QCoreApplication object.

      You can use this to observe all user interactions in an application for example.

    1. A list of some simple suggested exercises to do with a foam roller. One notable point was a recommendation that exercises should be done before workouts.

  31. Sep 2017
    1. In New York, however, where some 2016 numbers are available, it seems that every journey only covers 41% of the costs involved in making it.

      Does anyone know a) whether this claim is accurate and b) what more up to date numbers look like?

    1. These general forms allow markup grammars, like HTML5, to be created without element counts in the thousands to address every possible need. A generalized element retains the form of greatest applicability

      Another EPUB annotation.

    1. There

      An annotation created using IE 11 when logged in using OAuth

  32. Aug 2017
    1. The URL that was given to you by Canvas should have had a verifier parameter on it. If so, do not include your Authorization header like you do with all the other API calls that you make.

      So this means that the verifier parameter replaces the Authorization header?

    1. This guide takes a slightly different approach to accessibility because of the feature-rich nature of EPUB 3

      This is a quick test of an annotation made on an EPUB document.

    1. Sometimes the submodule references get slightly out of sync so to ensure you are at the latest develop branch in all submodules you can run this

      I initially tried without running this command but that failed - the plugin configuration had Hypothesis disabled. Presumably that means that the submodule references in the root project don't currently reference the HEAD of the develop branch in some of the submodules?

    1. This fundamental change in J-protein biology during the prokaryote-to-eukaryote transition allows for increased fine-tuning and broadening of Hsp70 function in eukaryotes

      Another test annotation created as part of a project with eLife.

    2. Hsp70 participates in a broad spectrum of protein folding processes extending from nascent chain folding to protein disaggregation

      Test annotation created as part of a project with eLife.

    1. Create the revision script by running alembic revision, for example:

      This appears to be out of date. It looks like alembic commands should be run via the ./bin/hypothesis wrapper script. See https://github.com/hypothesis/h/issues/3863

      ./bin/hypothesis migrate revision -m "Add the foo table"
  33. Jul 2017
    1. It’s a fundamental decision about where the annotation goes which can’t be changed later.

      The "can't be changed later" part is something we could, and probably will want to at some point, address.

      In a groups-first API I imagine that this might be a specific API call though, since there are a number of error conditions that are specific to this operation.

    1. or the browser was holding the storage mutex for a longer time, or for different reasons.

      According to this GitHub issue the storage mutex was never implemented in browsers.

      See the comment from Ian Hickson at the bottom.

      That issue also has some useful details on what modern browsers actually do in a multi-process world.

    1. Think in a chapter of a book, for example: the chapter isPartOf book.

      Should we perhaps use this instead of DC.Source for describing a chapter which is part of a book?

    1. said he most commonly used the app

      Saqib is blind.

    2. As well as recognizing people it’s seen before and guessing strangers’ age and emotion

      I wonder how they try to avoid causing offence if the guess is wrong?

  34. Jun 2017
    1. 2mins 34secs clear of Kenya's Mathew Kimeli.

      This should say 2.34 seconds. Kimeli was ~10 metres behind when Farah crossed the line.

    1. potentially annoying

      It's not just "potentially annoying". I think our users would use somewhat stronger language to describe this hassle!

    2. since it could just re-use the still valid access and refresh token that it got last time.

      It is possible that the user's identity on the website changed since the last time they visited the page, in which case we do need a new access/refresh token.

      I would be inclined not to try and solve this problem until we're sure it is a problem to avoid introducing fun new caching issues that cause confusion for us and users.

    1. One of the important lessons when designing for VR is that you should move your idea or concept as fast as possible to prototyping.

      Presumably this would be true for any novel interaction environment.

    1. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client

      I assumed that revoking the old token would be mandatory, but on the other hand, not revoking it allows clients to retry a refresh if they fail to receive the response the first time due to a transient network error.

    1. Examples of other similar JavaScript DI frameworks:

      A useful list of dependency injection frameworks for JS. From what I've seen of the packages listed here:

      BottleJS looks like the simplest and least demanding in terms of JS engine features.

      InversifyJS is heavily orientated towards TypeScript and assumes use of decorators, reflect-metadata etc.

      Inverted is unmaintained and the link 404s.

      I haven't yet looked at WireJS or Mocktail.

    1. When you click on the icon you don't know whether the new things went into the annotations, page notes or orphans tab. (I believe the count numbers on the tabs change, but this is easy to miss.)

      A caveat here is that we cannot tell whether annotations are annotations or orphans until after we try anchoring them, so if we go with this approach we'll either have to change how annotations in the "received but not yet presented to the user" state are handled, or optimistically assume that the annotations do anchor.

    2. Tabs (where the number of tabs can change dynamically, tabs opening and closing in response to events or user actions, like in a desktop web browser) are normally left aligned

      That definitely depends on what environments you are familiar with. In Windows (traditionally) and modern MS apps tabs are left-aligned.

    3. It uses HTML <a> elements with href="#", which I don't believe is correct for these controllers, which are really buttons not links

      Strictly speaking yes, although ARIA actually has dedicated roles for tabs. If you use those, I don't think it really matters.

    4. These buttons also look different than other buttons (and links) in the sidebar itself.

      They are tabs rather than buttons. I don't think they should necessarily need to look the same as buttons, as long as it is clear you can hit them.

    1. subresource under number of unique domains, sub frame under number of unique domains, and number of unique domains redirected to.

      I'm not clear on exactly what these three things mean and why they might be strong signals for a tracking domain. Can anyone clarify?

    1. Whitelists are a good idea - not only are they a simple way to protect against parent documents setting config settings that we don't want them to

      In the case of the sidebar, this is true. Do understand though that code in src/annotator fundamentally runs in an untrusted context and a sufficiently determined page could manipulate what that code does in pretty much any way it wanted.

  35. May 2017
  36. citeseerx.ist.psu.edu citeseerx.ist.psu.edu
    1. Faster Approximate String Matching Baeza-Yates and G. Navarro, R. Algorithmica (1999) 23: 127. doi:10.1007/PL00009253

    1. Doesn't manage VPCs, subnets, or other infrastructure that Skyliner manages for us.

      How much of a problem is this for us on the spectrum of major blocker to minor inconvenience?

    1. Specifically, we pad the inputbyk1elements on both the left and right side by zerovectors, and then removekelements from the end of theconvolution output.

      Reproduction of the bug described at https://github.com/hypothesis/client/issues/381

    1. WAI-ARIA provides Web authors with the following:

      This is a summary of the main types of additional information which may need to be added to a page to make it accessible, which can be done by adding ARIA attributes to elements.

    2. For example, with WAI-ARIA, developers can identify regions of pages and enable keyboard users to easily move among regions, rather than having to press Tab many times.
    3. For example, if the content of a Web page changes in response to user actions or time- or event-based updates, that new content may not be available to some people, such as people who are blind or people with cognitive disabilities who use a screen reader.
    1. The text MUST be selected and normalized in the same way as for the Text Quote Selector before counting the number of characters to determine the start and end positions.

      Given the comment above about normalization:

      The selection of the text must be in terms of unicode code points (the "character number"), not in terms of code units (that number expressed using a selected data type).

      My understanding is that the start/end positions need to be expressed in code points, which is a little inconvenient in the browser since the natural way to retrieve the text content for a node and its descendents in the DOM is using the textContent property, which returns a JS string that represents the text in UTF-16 chars.

    1. One of the projects I'm working on is an annotation bot called "contextbot"

      Very cool! For anyone else reading, you can find contextbot's annotations here.

      Where do you get the feed of articles that it processes from?

    1. With tens of thousands of events occurring every day at a rate of approximately one per second,

      Where does this figure come from?

  37. Apr 2017
    1. Coupling your data and code adds the additional problem that if you want to use a function at a certain point, you have to find a way get its object to that point.
    1. 2.3 The Jacobian of the Pyramidal Transformation in 3D
    2. Well-known quadrature rules exist in 2D for triangles and a few 3D regions, such astetrahedra, prisms and hexahedra

      Hello, this is a comment on an article I found via canaryhaz.

  38. Mar 2017
    1. Providing a malicious onLogin callback, for example popup a window into which the user may type their username and password

      This is something I do think we should have a plan for. I have a couple of suggestions:

      1. If we teach the Chrome extension to ignore settings from the host page, that should avoid this problem for the extension.
      2. For the embed, given that we allow publishers to customize the sidebar app UI in several ways, I think the app should verify that the publisher is trusted. How can this be done? If the publisher signed a grant token then the access token exchange already provides us with this proof. If the user is not logged in then we don't have any such proof. I did suggest that the publisher could create a grant token by signing a JWT where the userid was null as one approach.
    2. Providing a malicious asset root URL from which the sidebar app will load its assets

      I don't think this is true - and it would be a major issue if it was as it would circumvent the same-origin protection that the iframe code assumes. The sidebar app does not allow the host page to set the assetRoot setting, but only reads the setting embedded in the app.html page.

    3. This would also make it slightly more difficult for malicious sites to configure the client.

      I think your earlier question about whether the Chrome extension should ignore js-hypothesis-config tags on the page entirely was a better avenue to explore.

    4. Alternatively you can set data-services to the id of a <datalist> element in the page.


    5. Instead of <script class="js-hypothes-config" type="application/json"> just use HTML attributes on the embed.js script itself

      I'm not in favor of this because a) I think JSON is a simple and widely understood format and b) There is one clear obvious way of expressing booleans, arrays and nested data structures in JSON, whereas in HTML you have to invent your own way of doing it.

      One additional complication is that although there is a method document.currentScript which code can use to get a reference the <script> tag which caused it to be run, this property is not supported in IE so we'd need a workaround.

    6. Have only one means of inter-frame communication: the bridge.

      I think this may be nice in principle, but see the caveats above I mentioned about the sidebar app assuming it can synchronously access settings when it starts up. This might turn out to be more complex.

    7. Consider renaming sidebar/app.js to sidebar/main.js, to match annotator/main.js

      👍 - except that in CommonJS the standard name for the main file in a directory is index.js. There is actually support for this built into the require function. require('./some-dir') is actually equivalent to require('./some-dir/index').

    8. actually export config objects directly rather than exporting functions?

      The reason these modules export functions rather than objects is because that is easier to write tests for. A simple solution here would be to rename the function to say, readConfig.

    9. This function returns an object named options, it should be named config.


    10. src/shared/settings.js should be renamed to src/shared/config.js to match with other things that are named config.


    11. Or else just add a boolean variable to window.

      A difference between DOM elements and expando properties in the context of extensions is that DOM element properties and attributes are visible to code that runs in the context of the page and code that runs as a content script. Expando properties set in one context on the other hand are not visible in the other.

      What this means in practice is that an extension might not be able to read a boolean property set on the window object by code in the host page and vice versa.

    12. Is there any reason why the Chrome extension should ever read settings from the parent page?

      I can't think of a use case we have for this currently.

    13. The general term for the stuff outside of an iframe seems to be parent page/window/document/frame, so I suggest we use parent instead of host.

      Hmm ... "parent" is an overloaded word already within the sidebar app. You have parent elements in the DOM tree, parent components in the Angular component tree, parent scopes.

    14. The whole inheritance thing around PdfSidebar, Sidebar, Host, Guest and Annotator.

      Yes, completely agree.

    15. It would be nice to have only one means of inter-frame comms (bridge). Get rid of this ?config param on the iframe src.

      The reason for using this mechanism originally is that query string params are available immediately as soon as the sidebar app starts which is convenient for the sidebar app's boot code.

      As far as I am aware this is not possible with postMessage (the API underyling the bridge service). The sidebar app could make an RPC call back to the host page, but this may add some latency to app startup which would need to be measured. It's also unlikely to be as simple as parsing out a query string param.

    16. Use just one name, not settings, options, config, app_config, etc.

      I'm in favor of this. We probably do want to use a different term for static configuration of the client vs. user preferences.

    17. And that tag needs to contain valid JSON (which is all too easy to get wrong)

      I'm really not convinced that this is a problem. JSON is ubiquitous, especially in the field of web development. Additionally, we present a helpful error message if the config fails to parse.

    18. From the point of view of someone wanting to embed Hypothesis in their site this API seems more difficult to use than it needs to be

      I'm not convinced that any of the potential difficulties listed here are actually problems. I'll also note that the fact that the config data is JSON is more convenient than alternatives such as data attributes because most languages have builtins for serializing objects to JSON. We make use of this in both the Python code and JavaScript modules that render app.html in the extension for example.

    19. For example you change the value of a setting in a js-hypothesis-config object, but it doesn't work because (unknown to you) it's being overridden by another js-hypothesis-config object further down the page.

      I honestly think this is unlikely to be a problem for publishers.

    20. This provides an easy, high fidelity way to replace the sidebar with a malicious copy

      As I noted above, replacing the Chrome extension's app.html with a different page is really easy to do even without this mechanism.

      I think this is a real potential vector for phishing attacks but it is really important to understand that the DOM in the host page is fundamentally a shared resource for all code that runs in that context with no access controls.

    21. handled somehow.

      Handled or prevented. We currently do the latter as it was the simplest thing to implement.

    22. Browserify-requireable JavaScript function

      The usual term for a JS module that imports other modules via require() and exports variables/functions etc. via module.exports is a "CommonJS module". Browserify is a tool that packages up a graph of CommonJS modules for use in the browser - there are other tools such as Webpack and rollup which do the same thing.

    23. to thwart attacks based on sites embedding their own malicious copies of the client

      As I noted in Slack, it is trivial for a page to redirect iframes created by the extension to a different URL.

    24. But it seems like there may be a race condition here between the Chrome extension and embedded instance of Hypothesis?

      I believe there is. If you activate the Chrome extension while the page is still loading and before the embedded Hypothesis client has loaded, it is possible the extension will win.

    25. I believe this is intended to have the Chrome extension abort on launch, if there is already an embedded instance of Hypothesis in the page?

      This is correct. If you try to activate the Chrome extension on a page which embeds Hypothesis, whichever loads first, which will almost always be the embed, will win.

    1. This is a version of the paper with an ugly presentation. There is a LaTeX version available but several PDF readers (Mac Preview, PDF.js) have problems with text selection in that version.

      If anyone knows of a LaTeX version without that problem, please reply.

  39. Feb 2017
    1. It is not feasable for the client to first load the annotations and then compile a list of URIs and hopefully match up flag status with the annotations currently displayed on these pages.

      I don't think it would be that difficult to do, but it also isn't that important either. As you note - both those pages are deprecated.

      It seems not unlikely to me that we'll want to expose flag/moderation status on activity pages (showing annotations from many URLs) in future - so from the backend side it will probably be useful if this didn't require a redesign to support.

    2. the alternative is to include the annotation nipsa endpoint to /api/ and then make the client fill in the annotation id

      This would probably be a little more convenient to work with in the client because we could then use the existing logic for turning API descriptions from the /api response into functions that make those calls.

      The approach suggested here would be useful if the list of actions was dynamic but that's not the case as far as I am aware.

    3. We support both uri and url parameters for /api/search - should we support both here as well, or decide on one?

      Is this purely a historical artefact or do they actually behave differently?

      The client always uses uri, which is correct because the value is sometimes a urn:... URI (eg. for a PDF fingerprint). I'll also note that the client sets this parameter multiple times if it wants to query for annotations using multiple URIs (eg. on PDFs). This endpoint would need the same support in order to ensure that it retrieved flags for the same set of annotations.

    4. &group={pubid}

      The search endpoint allows us to fetch annotations for all groups at once and we use this in certain contexts - such as when opening a direct link where we don't know which group the annotation is in.

      Could we drop the 'group' parameter here and make the call simply return the IDs of all flagged annotations, irrespective of group for the current URL?

      The other reason this might be useful is it allows us to fetch flag info sooner because the client can make the request before it has fetched the list of groups.

    5. render default error

      I know why we do this but the practice of hiding the difference between 'not found' and 'wrong permissions' / 'incorrect' auth is really irritating from a debugging point of view. I'd like to us to reconsider this another time.

    6. they can flag an annotation for moderation.

      In the current designs the action is just a boolean flag, but I'll note that it is very common for reporting interfaces to allow the user to give a reason why they are reporting something. So I think it would make sense to design the API in such a way we can easily add that later if deemed useful.

    1. Video tutorial from Jun 2016 showing how to use Hypothesis to annotate a Wikipedia page.

      It briefly shows groups and the stream, but using the old (pre-Nov 2016) Hypothesis website.

    1. f the only changes are to the Chrome extension itself (and the version number of the hypothesis client dependency hasn't changed since the last browser extension release) then the fourth (and final) segment in the version number should be incremented.

      We've just discovered this doesn't work because the package version (in package.json) must be valid semver - which only allows for MAJOR.MINOR.PATCH and no further divisions. See discussion at https://hypothes-is.slack.com/archives/public/p1487778833005564

      We worked around the issue thus far by bumping the minor version and making a note not to release a conflicting client version.

  40. Jan 2017
    1. The Websocket URLs provided by rtm.start are single-use and are only valid for 30 seconds, so make sure to connect quickly. If you connect successfully the first event received will be a hello:

      The temporary WebSocket URLs solve several problems. One is that they work around the fact that clients cannot supply Authorization headers directly using the browser's WebSocket API.

    1. However, remember that Click is Unicode-based, so the string will always be a Unicode value
    1. Income for services performed outside the United States is foreign-source and not subject to U.S. tax for a nonresident alien, even if paid by a U.S. employer or payer.
    2. If the recipient is a nonresident alien and the compensation payment is U.S.-source income, you must withhold 30 percent (called “NRA withholding”) unless an exception applies.
    1. One of the biggest questions I have from students as they use Hypothesis Groups is how to save annotations to the group, as opposed to Public/Private annotations

      As a developer working on Hypothesis, this is useful to know. Is there anything you think we could do to make this easier?