712 Matching Annotations
1. Jun 2022
2. vision.cornell.edu vision.cornell.edu
1. COCO-Text: Dataset for Text Detection and Recognition

• 63K images
• 145K text instances
• Feature labels: machine printed / handwritten. Legible / illegible, English / non-English script

#### URL

3. Apr 2022
4. tesseract-ocr.github.io tesseract-ocr.github.io
1. OSD

Orientation and Script Detection

#### URL

5. Mar 2022
6. cdn.hypothes.is cdn.hypothes.is
1. Chapter 11. Nightgown.

Quick test

#### URL

7. github.com github.com
1. Quick test

#### URL

8. Feb 2022
9. jigsaw.vitalsource.com jigsaw.vitalsource.com
1. SOCKPUPPET

According to Wikipedia: A sock puppet is an alternative online identity or user account used for purposes of deception.

#### URL

10. jigsaw.vitalsource.com jigsaw.vitalsource.com
1. Putin’s been accused of using his pet Labrador to frighten Angela Merkel

#### URL

11. jigsaw.vitalsource.com jigsaw.vitalsource.com
1. Prince Henry the Navigator

#### URL

12. Jan 2022
13. tailwindcss.com tailwindcss.com
1. Utilities for improving accessibility with screen readers.

To understand the CSS properties used by the sr-only class, see blog posts from WebAIM and Cloud Four.

#### URL

14. jigsaw.vitalsource.com jigsaw.vitalsource.com
1. Yet another way of categorizing arguments is to consider their status or stasis—that is, the specific kinds of issues they address.

This works

#### URL

15. hypothes.is hypothes.is

#### URL

16. lilianweng.github.io lilianweng.github.io
1. Given a function of mapping a nnn-dimensional input vector xx\mathbf{x} to a mmm-dimensional output vector, f:ℝn↦ℝmf:Rn↦Rm\mathbf{f}: \mathbb{R}^n \mapsto \mathbb{R}^m, the matrix of all first-order partial derivatives of this function is called the Jacobian matrix, JJ\mathbf{J} where one entry on the i-th row and j-th column is Jij=∂fi∂xjJij=∂fi∂xj\mathbf{J}_{ij} = \frac{\partial f_i}{\partial x_j}

Quick test

#### URL

17. Nov 2021
18. jigsaw.vitalsource.com jigsaw.vitalsource.com
1. Change; captains, admirals, the dark “interlopers”5 of the Eastern trade, and the commissioned “generals” of East India fleets

This works

2. had good hold, made his way aft and sat down amongst us. We exchanged a few words lazily. Afterwards there was silence on board the yacht. For some reason or other we did not begin that game of dominoes. We felt meditative and fit for nothing but placid staring. The day was ending in a serenity of still and exquisite brilliance. The water shone pacifically; the sky, without a speck, was a benign immen- sity of unstained light; the

Quick test

#### URL

19. jigsaw.vitalsource.com jigsaw.vitalsource.com
1. The budget constraint clearly shows the tradeoff Alphonso faces in choosing between burgers and bus tickets. Suppose he is currently at point D

Quick test

#### URL

20. jigsaw.vitalsource.com jigsaw.vitalsource.com
1. The Copenhagen meeting in September of 1979 and the iridium papers of 1980 triggered a storm over the Cretaceous-Tertiary mass extinction that raged through the entire decade of the 1980s

Quick test

#### URL

21. Oct 2021
22. jigsaw.vitalsource.com jigsaw.vitalsource.com
1. The German philosopher Immanuel Kant (1724–1804) delved into the critical limits of knowledge in his revolutionary text, The Critique of Pure Reason (1781).

#### URL

23. jigsaw.vitalsource.com jigsaw.vitalsource.com

Quick test

#### URL

24. Sep 2021
25. qa.hypothes.is qa.hypothes.is

#### URL

26. Dec 2020
27. cleantechnica.com cleantechnica.com
1. about an 80% in energy density

Should say "80% increase in energy density"?

#### URL

28. Aug 2020
29. hypothes.is hypothes.is
1. Now you have the extension up and running. It's time to start annotating some documents.

Quick test

#### URL

30. Jun 2020
31. jigsaw.vitalsource.com jigsaw.vitalsource.com
1. REQUIEM FOR A LOST WORLD

Hello ebooks 📚

#### URL

32. May 2020
33. www.scratchapixel.com www.scratchapixel.com
1. figure 3

Should say Figure 13

#### URL

34. Apr 2020
35. hacks.mozilla.org hacks.mozilla.org
1. As long as expressions typed into the Web Console are side-effect free

Does anyone know how "side-effect free" is determined?

#### URL

36. Mar 2020
37. www.qualified.io www.qualified.io

#### URL

38. Feb 2020
39. www.paciellogroup.com www.paciellogroup.com
1. TPG is an accessibility solutions provider offering full-service accessibility consulting and a leading provider of accessibility monitoring and management software solutions.

This is a test annotation.

#### URL

1. How likely are you to pop open the browser developer tools to look for an overzealous aria-label on a <div>-as-button-via-role-sans-keyboard-handler monstrosity to explain that the button you thought said “Submit” is the one the user hears as “Activate this button to submit this form,” all thanks to a well-meaning developer who thought it was necessary?

Example of a problem caused by mismatched labels for different users.

#### URL

41. dequeuniversity.com dequeuniversity.com
1. Safari Settings: Advanced > Accessibility > Press Tab to highlight each item on a webpage

In Safari 13.0.5 on macOS 10.15:

2. System Settings: Keyboard > Shortcuts > Full Keyboard Access > All controls

I think this may be out of date. On macOS 10.15 (Catalina) I see no such option. However there is an option to enable keyboard navigation with a different label ("Use keyboard navigation...").

#### URL

42. Jan 2020
43. qa.hypothes.is qa.hypothes.is
1. What language is this?

#### URL

44. qa.hypothes.is qa.hypothes.is
1. איזו שפה זו?

#### URL

45. docs.pylonsproject.org docs.pylonsproject.org
1. Should only be "Strict" or "Lax".

What about setting the value to None for a cookie where it is specifically desired for the cookie to be available in a third-party context?

Third-party cookies are eventually going away so perhaps that is not a viable option long term.

#### URL

46. Nov 2019
47. example.com example.com
1. This
2. Domain

Annotation two

3. Example

Annotation one

#### URL

48. www.delonghi.com www.delonghi.com
1. Manual for my espresso maker.

#### URL

49. Oct 2019
50. arxiv.org arxiv.org
1. ommittee is a subset

Test.

#### URL

51. jonudell.net jonudell.net
1. RRID:WB-STRAIN

Annotation on the second "RRID:WB-STRAIN" text

2. RRID:WB-STRAIN

Annotation on the first "RRID:WB-STRAIN" text.

#### URL

52. Aug 2019
53. hypothesis-h5p.s3.us-east-2.amazonaws.com hypothesis-h5p.s3.us-east-2.amazonaws.com
1. Hypothesis

This is a demo of an H5P-enabled Hypothesis client. It also shows how OAuth can be used to create customized clients which talk to the Hypothesis backend.

Go to the Page Notes for more details.

<iframe src="https://h5p.org/h5p/embed/6725" width="1090" height="387" frameborder="0" allowfullscreen="allowfullscreen"></iframe><script src="https://h5p.org/sites/all/modules/h5p/library/js/h5p-resizer.js" charset="UTF-8"></script>

#### URL

54. www.nsqol.org www.nsqol.org
1. The online teacher creates, selects, and organizes appropriate assignments and assessments to align curricular content with associated standards-based learning goals

This is a test to investigate a Hypothesis bug report. See https://github.com/hypothesis/lms/issues/875

#### URL

55. May 2019
56. tomcritchlow.com tomcritchlow.com
1. Try it out!

Hi Tom!

Thanks for sharing your feedback on Hypothesis UX at iAnnotate this year.

If you use the Hypothesis client with the “clean” theme I recommend using the data-hypothesis-trigger attribute to create a button or other affordance to open the sidebar. See https://h-client.readthedocs.io/en/latest/publishers/host-page-integration/ for details. This allows users to see comments without having to find a highlight.

#### URL

57. Apr 2019
58. robertknight.me.uk robertknight.me.uk
1. A caveat here is that the rewriting may add quite a lot of code to your bundle,

See this GitLab issue for a real-world example of where this became a problem.

#### URL

59. Dec 2018
60. web.hypothes.is web.hypothes.is
1. AngularJS

Since a few candidates have asked this, we're not wedded to Angular as a framework, but it was perceived as a sensible choice back in the early days of the project in 2013-2015. In more recent times we've had higher-priority technical issues to address.

Setting the future technical direction and helping to implement it is part of the role.

#### URL

61. Oct 2018
62. wiseodd.github.io wiseodd.github.io
1. im2col utilities could be found in the second assigment files of CS231n.

#### URL

63. www.cs.toronto.edu www.cs.toronto.edu
1. produced with cPickle

Corrected link for Python 3: https://docs.python.org/3/library/pickle.html

#### URL

64. letsencrypt.org letsencrypt.org
1. The simplest way to generate a private key and self-signed certificate for localhost is with this openssl command:

Keys generated using this command are trusted by browsers (I've tested with Safari, Chrome, Firefox).

I found that they were not trusted by SSL client libraries (eg. Python's ssl package or requests) which use openssl because the keyUsage setting is missing the keyCertSign flag.

Changing the keyUsage= section to keyUsage=digitalSignature,keyCertSign resolved the problem.

#### URL

65. Jul 2018
66. arxiv.org arxiv.org
1. Code is at: this https URL

#### URL

67. blog.codinghorror.com blog.codinghorror.com

#### URL

68. Jun 2018
69. hypothesis-h5p.s3.us-east-2.amazonaws.com hypothesis-h5p.s3.us-east-2.amazonaws.com

#### URL

70. blog.nightly.mozilla.org blog.nightly.mozilla.org
1. disable DoH

Should this say enable DoH under all circumstances? Presumably the current default, mode 0, is always off anyway.

#### URL

71. May 2018
72. web.hypothes.is web.hypothes.is
1. and agree to them before you start annotating

2. For the Hypothesis website, we’ve taken new steps to anonymize the information we collect

In practical terms this means that we turned on Google Analytics' IP anonymization feature which zeroes that last octet of your IP address.

#### URL

73. Apr 2018
74. gist.github.com gist.github.com
1. probably UTF-8

Almost certainly UTF-8 on macOS and Linux. I'm not sure about Windows.

2. What encoding are literal byte strings in?

It wasn't clear to me after reading this, but -*- coding: utf-8 -*- comments are redundant in Python 3 because the default encoding of files is UTF-8.

#### URL

75. robertknight.me.uk robertknight.me.uk
1. Before adding a new collaborator, they will need to generate a GPG key. GitHub has good instructions for doing this

Steps for new developers to create public keys.

#### URL

76. biopub.hypothes.is biopub.hypothes.is

#### URL

77. blog.vjeux.com blog.vjeux.com
1. it has been reported in 2008 but not yet being worked on by anyone.

This issue has now been fixed.

#### URL

78. Mar 2018
79. help.github.com help.github.com
1. For security reasons, after you navigate off the page, you will not be able to see the token again.

So if you forget your token, you'll need to generate a new one :)

#### URL

80. blogs.dropbox.com blogs.dropbox.com
1. A high-level technical explanation of how Dropbox's PDF annotation interface is implemented.

Quite interesting for Hypothesis.

#### URL

81. Feb 2018
82. hypothesis-h5p.s3.us-east-2.amazonaws.com hypothesis-h5p.s3.us-east-2.amazonaws.com

This is a test client which shows: 1) how to use OAuth to create customized Hypothesis clients and 2) is a prototype of support for H5P, a system for creating embed-able interactive content such as quizzes etc.

To add a new annotation with H5P content:

2. Go to https://h5p.org/ and find a piece of demo content.
3. Click the "Embed" button at the bottom of any embed
4. Copy and paste the embed code into a new annotation or Page Note on this page.

Next, try creating your own interactive content on H5P.org and pasting embed links here.

🤠 - H5P content is sandboxed to prevent malicious abuse. Some functionality may not be available. Let me know if you find issues.

Contact me at robertknight@hypothes.is

#### URL

83. biopub.hypothes.is biopub.hypothes.is
1. Welcome to the BioPub website 🔬.

This is a demo site designed to show various aspects of how Hypothesis can be integrated by publishers into their articles.

#### URL

84. tfl.gov.uk tfl.gov.uk
1. The ULEZ standards are:

See the table at https://www.rac.co.uk/drive/advice/emissions/euro-emissions-standards/ for a rough guide to what standard a vehicle meets based upon its date of registration.

#### URL

85. Jan 2018
86. developer.chrome.com developer.chrome.com
1. Tutorial: OAuth

This page is about OAuth v1. Most web services, including Google APIs, now use OAuth v2 which is simpler in various respects. The documentation for that is https://developer.chrome.com/apps/app_identity

#### URL

1. Unfortunately not every database supports savepoints and SQLite is precisely one of those that doesn’t

I'm not sure if this is still true, SQLite does have a SAVEPOINT command now. Whether SQLAlchemy supports it and whether there are any limitations with it I don't know.

#### URL

1. Transaction objects manage resources for an individual activity.

For a more detailed introduction to the transaction package, see https://zodb.readthedocs.io/en/latest/transactions.html

#### URL

89. Dec 2017
90. techcrunch.com techcrunch.com
1. Lyft partners

Testing a possible change for Hypothesis involving <link rel="shortlink">.

#### URL

91. Nov 2017
92. www.elastic.co www.elastic.co
1. synchronously with the request

We are trying to clarify in https://github.com/hypothesis/h/pull/4700#discussion_r153477745 whether search requests made after an index operation with refresh=true are guaranteed to see the change. My understanding from these docs is that this is true in ES 6.

#### URL

93. www.elastic.co www.elastic.co
1. Running these queries on a field with many unique terms can be resource intensive indeed. Avoid using a pattern that starts with a wildcard (for example, *foo or, as a regexp, .*foo).

#### URL

94. blog.usejournal.com blog.usejournal.com
1. Interesting article on gzip compression. It explains how to apply knowledge about how gzip (and specifically DEFLATE) compression works in order to generate source text that compresses better.

A shame that the gzthermal tool is not open source at present.

#### URL

95. web.hypothes.is web.hypothes.is

#### URL

96. www.jofreeman.com www.jofreeman.com
1. The Lot System is one such idea which has emerged from the movement

See http://www.carolhanisch.org/CHwritings/Leadership.html for an explanation of how the "lot system" worked.

2. rushed

Coming from the UK where sororities / fraternities are not really a thing as far as I know, I had to look this up: https://en.wikipedia.org/wiki/Sorority_recruitment

3. New Left

A political movement from the 1960s and 1970s campaigning for social change and reform.

https://en.wikipedia.org/wiki/New_Left

4. as too threatening to have as close friends

Why "threatening"?

5. rap group

#### URL

97. shift.newco.co shift.newco.co
1. The aforementioned Yelp reviews is already testing these boundaries with its Monocle feature

The Wired article on the Monocle feature dates back to 2009. In 2017, it is still apparently a hidden feature in the Yelp app.

2. A new batch of apps that allow users to create hidden graffiti using AR raises an important question about who is legally allowed to “tag” a place.

So basically all the discussions we have had within Hypothesis about rights to write over web pages will be had, but this time applied to the real world.

#### URL

98. Oct 2017
1. This article argues for the benefits of favoring integration ("feature") tests over unit tests. An opposing argument ("integration tests are a scam") is that reliance on integration tests is a bad idea because of the difficulty of covering all possible code paths with integration tests as opposed to unit tests.

A half-way point between the two views is the concept of a testing pyramid which advocates having end-to-end, integration and unit tests, but with a larger number of the latter and a smaller number of the former.

#### URL

100. support.zendesk.com support.zendesk.com
1. I actually just figured this out and it seems to be working.  I found this article:

This might be useful for resolving an issue we have with Google Groups where replies made via Zendesk to support requests originating from emails to a Google Groups forum only go to the original user and do not appear on the Google Groups mailing list.

#### URL

101. doc.qt.io doc.qt.io
1. It is also possible to filter all events for the entire application, by installing an event filter on the QApplication or QCoreApplication object.

You can use this to observe all user interactions in an application for example.

#### URL

102. www.mensjournal.com www.mensjournal.com
1. A list of some simple suggested exercises to do with a foam roller. One notable point was a recommendation that exercises should be done before workouts.

#### URL

103. Sep 2017
104. www.londonreconnections.com www.londonreconnections.com
1. In New York, however, where some 2016 numbers are available, it seems that every journey only covers 41% of the costs involved in making it.

Does anyone know a) whether this claim is accurate and b) what more up to date numbers look like?

#### URL

1. These general forms allow markup grammars, like HTML5, to be created without element counts in the thousands to address every possible need. A generalized element retains the form of greatest applicability

Another EPUB annotation.

#### URL

106. developer.apple.com developer.apple.com
1. This operation that

Should be "This operation ensures that"?

#### URL

107. docdrop.org:8080 docdrop.org:8080
1. stay

Quick foo

#### URL

108. qa.hypothes.is qa.hypothes.is
1. There

An annotation created using IE 11 when logged in using OAuth

#### URL

109. Aug 2017
110. community.canvaslms.com community.canvaslms.com
1. The URL that was given to you by Canvas should have had a verifier parameter on it. If so, do not include your Authorization header like you do with all the other API calls that you make.

So this means that the verifier parameter replaces the Authorization header?

#### URL

1. This guide takes a slightly different approach to accessibility because of the feature-rich nature of EPUB 3

This is a quick test of an annotation made on an EPUB document.

#### URL

112. gist.github.com gist.github.com
1. Sometimes the submodule references get slightly out of sync so to ensure you are at the latest develop branch in all submodules you can run this

I initially tried without running this command but that failed - the plugin configuration had Hypothesis disabled. Presumably that means that the submodule references in the root project don't currently reference the HEAD of the develop branch in some of the submodules?

#### URL

113. hypothesis-h5p.s3.us-east-2.amazonaws.com hypothesis-h5p.s3.us-east-2.amazonaws.com
1. new annotation

Here is an example of an annotation with an embedded video, taken from a page about Hurricane Harvey

<iframe frameborder="0" height="234" src="//fave.api.cnn.io/v1/fav/?video=us/2017/08/25/hurricane-harvey-space-station-sje-lon-orig.cnn&amp;customer=cnn&amp;edition=international&amp;env=prod" width="416"></iframe>

#### URL

114. hypothesis-h5p.s3.us-east-2.amazonaws.com hypothesis-h5p.s3.us-east-2.amazonaws.com

#### URL

115. localhost:1337 localhost:1337
1. Some

#### URL

116. elifesciences.org elifesciences.org
1. This fundamental change in J-protein biology during the prokaryote-to-eukaryote transition allows for increased fine-tuning and broadening of Hsp70 function in eukaryotes

Another test annotation created as part of a project with eLife.

2. Hsp70 participates in a broad spectrum of protein folding processes extending from nascent chain folding to protein disaggregation

Test annotation created as part of a project with eLife.

#### URL

1. Create the revision script by running alembic revision, for example:

This appears to be out of date. It looks like alembic commands should be run via the ./bin/hypothesis wrapper script. See https://github.com/hypothesis/h/issues/3863

./bin/hypothesis migrate revision -m "Add the foo table"


#### URL

118. Jul 2017
119. notes.wtk.io notes.wtk.io
1. It’s a fundamental decision about where the annotation goes which can’t be changed later.

The "can't be changed later" part is something we could, and probably will want to at some point, address.

In a groups-first API I imagine that this might be a specific API call though, since there are a number of error conditions that are specific to this operation.

#### URL

120. connectedyouth-stage.nyupress.org connectedyouth-stage.nyupress.org
1. Letraset sheets

What is a Letraset sheet?

#### URL

121. balpha.de balpha.de
1. or the browser was holding the storage mutex for a longer time, or for different reasons.

According to this GitHub issue the storage mutex was never implemented in browsers.

See the comment from Ian Hickson at the bottom.

That issue also has some useful details on what modern browsers actually do in a multi-process world.

#### URL

122. dublincore.org dublincore.org
1. Example 1. A Dublin Core Description of a Journal Article

Example of usage of the isPartOf relation.

#### URL

123. ml.berkeley.edu ml.berkeley.edu
1. A very accessible explanation of the bias-variance trade-off in ML.

#### URL

124. github.com github.com
1. BYOB

#### URL

1. Think in a chapter of a book, for example: the chapter isPartOf book.

Should we perhaps use this instead of DC.Source for describing a chapter which is part of a book?

#### URL

126. www.theverge.com www.theverge.com
1. said he most commonly used the app

Saqib is blind.

2. As well as recognizing people it’s seen before and guessing strangers’ age and emotion

I wonder how they try to avoid causing offence if the guess is wrong?

#### URL

127. Jun 2017
128. www.bbc.co.uk www.bbc.co.uk
1. 2mins 34secs clear of Kenya's Mathew Kimeli.

This should say 2.34 seconds. Kimeli was ~10 metres behind when Farah crossed the line.

#### URL

129. github.com github.com
1. potentially annoying

It's not just "potentially annoying". I think our users would use somewhat stronger language to describe this hassle!

2. since it could just re-use the still valid access and refresh token that it got last time.

It is possible that the user's identity on the website changed since the last time they visited the page, in which case we do need a new access/refresh token.

I would be inclined not to try and solve this problem until we're sure it is a problem to avoid introducing fun new caching issues that cause confusion for us and users.

#### URL

130. medium.com medium.com
1. One of the important lessons when designing for VR is that you should move your idea or concept as fast as possible to prototyping.

Presumably this would be true for any novel interaction environment.

#### URL

131. localhost:5050 localhost:5050
1. Dr. Vannevar Bush

Blah

#### URL

132. tools.ietf.org tools.ietf.org
1. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client

I assumed that revoking the old token would be mandatory, but on the other hand, not revoking it allows clients to retry a refresh if they fail to receive the response the first time due to a transient network error.

#### URL

133. medium.com medium.com
1. Examples of other similar JavaScript DI frameworks:

A useful list of dependency injection frameworks for JS. From what I've seen of the packages listed here:

BottleJS looks like the simplest and least demanding in terms of JS engine features.

InversifyJS is heavily orientated towards TypeScript and assumes use of decorators, reflect-metadata etc.

Inverted is unmaintained and the link 404s.

I haven't yet looked at WireJS or Mocktail.

#### URL

134. github.com github.com
1. When you click on the icon you don't know whether the new things went into the annotations, page notes or orphans tab. (I believe the count numbers on the tabs change, but this is easy to miss.)

A caveat here is that we cannot tell whether annotations are annotations or orphans until after we try anchoring them, so if we go with this approach we'll either have to change how annotations in the "received but not yet presented to the user" state are handled, or optimistically assume that the annotations do anchor.

2. Tabs (where the number of tabs can change dynamically, tabs opening and closing in response to events or user actions, like in a desktop web browser) are normally left aligned

That definitely depends on what environments you are familiar with. In Windows (traditionally) and modern MS apps tabs are left-aligned.

3. It uses HTML <a> elements with href="#", which I don't believe is correct for these controllers, which are really buttons not links

Strictly speaking yes, although ARIA actually has dedicated roles for tabs. If you use those, I don't think it really matters.

4. These buttons also look different than other buttons (and links) in the sidebar itself.

They are tabs rather than buttons. I don't think they should necessarily need to look the same as buttons, as long as it is clear you can hit them.

#### URL

135. webkit.org webkit.org
1. subresource under number of unique domains, sub frame under number of unique domains, and number of unique domains redirected to.

I'm not clear on exactly what these three things mean and why they might be strong signals for a tracking domain. Can anyone clarify?

#### URL

136. gist.github.com gist.github.com
1. Whitelists are a good idea - not only are they a simple way to protect against parent documents setting config settings that we don't want them to

In the case of the sidebar, this is true. Do understand though that code in src/annotator fundamentally runs in an untrusted context and a sufficiently determined page could manipulate what that code does in pretty much any way it wanted.

#### URL

137. May 2017
138. citeseerx.ist.psu.edu citeseerx.ist.psu.edu
1. Faster Approximate String Matching Baeza-Yates and G. Navarro, R. Algorithmica (1999) 23: 127. doi:10.1007/PL00009253

#### URL

139. github.com github.com
1. Doesn't manage VPCs, subnets, or other infrastructure that Skyliner manages for us.

How much of a problem is this for us on the spectrum of major blocker to minor inconvenience?

#### URL

140. support.microsoft.com support.microsoft.com
1. Landmarks

Feature for navigating through landmarks in a page specifically.

2. Narrator views

This appears to be the closest available functionality in Windows 10 Narrator to the Web item rotor

#### URL

141. cn.arxiv.org cn.arxiv.org
1. Specifically, we pad the inputbyk1elements on both the left and right side by zerovectors, and then removekelements from the end of theconvolution output.

Reproduction of the bug described at https://github.com/hypothesis/client/issues/381

#### URL

142. www.w3.org www.w3.org
1. WAI-ARIA provides Web authors with the following:

This is a summary of the main types of additional information which may need to be added to a page to make it accessible, which can be done by adding ARIA attributes to elements.

2. For example, with WAI-ARIA, developers can identify regions of pages and enable keyboard users to easily move among regions, rather than having to press Tab many times.
3. For example, if the content of a Web page changes in response to user actions or time- or event-based updates, that new content may not be available to some people, such as people who are blind or people with cognitive disabilities who use a screen reader.

#### URL

143. www.w3.org www.w3.org
1. The text MUST be selected and normalized in the same way as for the Text Quote Selector before counting the number of characters to determine the start and end positions.

Given the comment above about normalization:

The selection of the text must be in terms of unicode code points (the "character number"), not in terms of code units (that number expressed using a selected data type).

My understanding is that the start/end positions need to be expressed in code points, which is a little inconvenient in the browser since the natural way to retrieve the text content for a node and its descendents in the DOM is using the textContent property, which returns a JS string that represents the text in UTF-16 chars.

#### URL

144. tinyletter.com tinyletter.com
1. One of the projects I'm working on is an annotation bot called "contextbot"

Very cool! For anyone else reading, you can find contextbot's annotations here.

Where do you get the feed of articles that it processes from?

#### URL

145. www.crossref.org www.crossref.org
1. With tens of thousands of events occurring every day at a rate of approximately one per second,

Where does this figure come from?

#### URL

146. Apr 2017
147. medium.com medium.com

#### URL

148. blog.wolksoftware.com blog.wolksoftware.com
1. Overview of dependency injection libraries and patterns in JS circa early 2016.

#### URL

149. softwareengineering.stackexchange.com softwareengineering.stackexchange.com
1. Coupling your data and code adds the additional problem that if you want to use a function at a certain point, you have to find a way get its object to that point.

#### URL

150. www.sec.gov www.sec.gov
1. Jeff Bezos' annual letter to Amazon shareholders from 2017. I encountered it via a tweet.

#### URL

151. canaryhaz.com canaryhaz.com
1. 2.3 The Jacobian of the Pyramidal Transformation in 3D
2. Well-known quadrature rules exist in 2D for triangles and a few 3D regions, such astetrahedra, prisms and hexahedra

Hello, this is a comment on an article I found via canaryhaz.

#### URL

152. Mar 2017
1. Stylesheets are also scoped to the shadow tree:

#### URL

154. hypothes.is hypothes.is

#### URL

155. gist.github.com gist.github.com
1. Providing a malicious onLogin callback, for example popup a window into which the user may type their username and password

This is something I do think we should have a plan for. I have a couple of suggestions:

1. If we teach the Chrome extension to ignore settings from the host page, that should avoid this problem for the extension.
2. For the embed, given that we allow publishers to customize the sidebar app UI in several ways, I think the app should verify that the publisher is trusted. How can this be done? If the publisher signed a grant token then the access token exchange already provides us with this proof. If the user is not logged in then we don't have any such proof. I did suggest that the publisher could create a grant token by signing a JWT where the userid was null as one approach.
2. Providing a malicious asset root URL from which the sidebar app will load its assets

I don't think this is true - and it would be a major issue if it was as it would circumvent the same-origin protection that the iframe code assumes. The sidebar app does not allow the host page to set the assetRoot setting, but only reads the setting embedded in the app.html page.

3. This would also make it slightly more difficult for malicious sites to configure the client.

I think your earlier question about whether the Chrome extension should ignore js-hypothesis-config tags on the page entirely was a better avenue to explore.

4. Alternatively you can set data-services to the id of a <datalist> element in the page.

Eww

5. Instead of <script class="js-hypothes-config" type="application/json"> just use HTML attributes on the embed.js script itself

I'm not in favor of this because a) I think JSON is a simple and widely understood format and b) There is one clear obvious way of expressing booleans, arrays and nested data structures in JSON, whereas in HTML you have to invent your own way of doing it.

One additional complication is that although there is a method document.currentScript which code can use to get a reference the <script> tag which caused it to be run, this property is not supported in IE so we'd need a workaround.

6. Have only one means of inter-frame communication: the bridge.

I think this may be nice in principle, but see the caveats above I mentioned about the sidebar app assuming it can synchronously access settings when it starts up. This might turn out to be more complex.

7. Consider renaming sidebar/app.js to sidebar/main.js, to match annotator/main.js

👍 - except that in CommonJS the standard name for the main file in a directory is index.js. There is actually support for this built into the require function. require('./some-dir') is actually equivalent to require('./some-dir/index').

8. actually export config objects directly rather than exporting functions?

The reason these modules export functions rather than objects is because that is easier to write tests for. A simple solution here would be to rename the function to say, readConfig.

9. This function returns an object named options, it should be named config.

👍

10. src/shared/settings.js should be renamed to src/shared/config.js to match with other things that are named config.

👍

11. Or else just add a boolean variable to window.

A difference between DOM elements and expando properties in the context of extensions is that DOM element properties and attributes are visible to code that runs in the context of the page and code that runs as a content script. Expando properties set in one context on the other hand are not visible in the other.

What this means in practice is that an extension might not be able to read a boolean property set on the window object by code in the host page and vice versa.

12. Is there any reason why the Chrome extension should ever read settings from the parent page?

I can't think of a use case we have for this currently.

13. The general term for the stuff outside of an iframe seems to be parent page/window/document/frame, so I suggest we use parent instead of host.

Hmm ... "parent" is an overloaded word already within the sidebar app. You have parent elements in the DOM tree, parent components in the Angular component tree, parent scopes.

14. The whole inheritance thing around PdfSidebar, Sidebar, Host, Guest and Annotator.

Yes, completely agree.

15. It would be nice to have only one means of inter-frame comms (bridge). Get rid of this ?config param on the iframe src.

The reason for using this mechanism originally is that query string params are available immediately as soon as the sidebar app starts which is convenient for the sidebar app's boot code.

As far as I am aware this is not possible with postMessage (the API underyling the bridge service). The sidebar app could make an RPC call back to the host page, but this may add some latency to app startup which would need to be measured. It's also unlikely to be as simple as parsing out a query string param.

16. Use just one name, not settings, options, config, app_config, etc.

I'm in favor of this. We probably do want to use a different term for static configuration of the client vs. user preferences.

17. And that tag needs to contain valid JSON (which is all too easy to get wrong)

I'm really not convinced that this is a problem. JSON is ubiquitous, especially in the field of web development. Additionally, we present a helpful error message if the config fails to parse.

18. From the point of view of someone wanting to embed Hypothesis in their site this API seems more difficult to use than it needs to be

I'm not convinced that any of the potential difficulties listed here are actually problems. I'll also note that the fact that the config data is JSON is more convenient than alternatives such as data attributes because most languages have builtins for serializing objects to JSON. We make use of this in both the Python code and JavaScript modules that render app.html in the extension for example.

19. For example you change the value of a setting in a js-hypothesis-config object, but it doesn't work because (unknown to you) it's being overridden by another js-hypothesis-config object further down the page.

I honestly think this is unlikely to be a problem for publishers.

20. This provides an easy, high fidelity way to replace the sidebar with a malicious copy

As I noted above, replacing the Chrome extension's app.html with a different page is really easy to do even without this mechanism.

I think this is a real potential vector for phishing attacks but it is really important to understand that the DOM in the host page is fundamentally a shared resource for all code that runs in that context with no access controls.

21. handled somehow.

Handled or prevented. We currently do the latter as it was the simplest thing to implement.

22. Browserify-requireable JavaScript function

The usual term for a JS module that imports other modules via require() and exports variables/functions etc. via module.exports is a "CommonJS module". Browserify is a tool that packages up a graph of CommonJS modules for use in the browser - there are other tools such as Webpack and rollup which do the same thing.

23. to thwart attacks based on sites embedding their own malicious copies of the client

As I noted in Slack, it is trivial for a page to redirect iframes created by the extension to a different URL.

24. But it seems like there may be a race condition here between the Chrome extension and embedded instance of Hypothesis?

I believe there is. If you activate the Chrome extension while the page is still loading and before the embedded Hypothesis client has loaded, it is possible the extension will win.

25. I believe this is intended to have the Chrome extension abort on launch, if there is already an embedded instance of Hypothesis in the page?

This is correct. If you try to activate the Chrome extension on a page which embeds Hypothesis, whichever loads first, which will almost always be the embed, will win.

#### URL

156. localhost:8001 localhost:8001