23 February 2024

This is going to be a quick post, mostly spurred-on by @boris@cosocial.ca’s excellent suggestion.

This blog now has a comment section, and it’s powered by Mastodon, a federated micro-blog social network✪✪Here’s a 2 minute video introducing Mastodon if you have more questions..

How does it work?

1. I make a post on cosocial.ca
2. People can reply to the post.
3. Those replies show up at the bottom of the corresponding blog post.

Why’d you do that?

So, firstly, I wanted a comment section. Secondly, I’m a big fan of using an open protocol for this. As I’ll discuss, alternatives don’t really scratch my itch as well for this. Finally, it was super simple.

I’ve already been pleasantly surprised by a comment from one of Blake3’s authors about a post I made about hashing algorithm benchmarks.

Together, we discovered that overheads in the Python binding of Blake3 resulted in unexpected slow downs on short inputs✪✪Listen, we all have different definitions of what’s exciting..

How’d you do that?

There are a lot of far more excellent blog posts that this one explaining how to do the same on your site. It’s actually exceptionally easy and very hackable.

Since I use Hugo to build my blog, I found this article by Daniel Pecos Martínez most relevant.

Looking closer at the code, however, it made me realize that there were some really amazing things about using Mastodon for comments, but equally I had few concerns. Rather than go over how to add Mastodon-powered comments on your blog, I thought I’d share some thoughts.

Pros

Distributed moderation

There are two types of blog comments that everyone who has ever run a blog comment section will run into: spam and hate speech. It’s sort of the “death and taxes” of the internet.

The only bullet-proof way of dealing with these two is to require comments be approved before publishing them. This still means you need to spend time reading a tonne of comments about cheap erectile dysfunction pills or some uncreative bigotry. If you’re most people, you’ll get more spam and hate than real comments, and probably just shutter the whole thing✪✪After writing this, I found this HackerNews comment that describes this really well..

Using Mastodon to power your comments means that your comments will be subject to the same moderation as your Mastodon feed. How moderation works in Mastodon is a bit complicated, but sufficed to say, if you’re happy with how your replies are being moderated, your instance✪✪Here, “instance” is used to mean Mastodon server. is doing a good job. If you’re unhappy with how posts you see are moderated, consider switching instances to a better moderated one.

Most instances have multiple people moderating. Many hands make light work, and folks are less likely to burn out. Sometimes, hateful comments will be swept up before you see it, other times, you’ll have to flag it.

I’m a bit lucky in that I’m part of the Trust & Saftey team at CoSocial.ca and know that I can trust my fellow moderators.

Plays nice with statics sites

Static site generators are responsible for about 98.2%✪✪This was precisely measured by randomly choosing a percentage close to 100%. of all blogs I read. They cover nearly every feature dynamic weblog software like WordPress or Moveable Type, but blog comments are a glaring absent feature.

Dropping in Mastodon blog comments into static sites is crazy simple! Include a Javascript file, add an empty div HTML tag, and that’s it!

Of course, you can already do that with third-party services like Disqus, but that leads me to my next point:

No need for ads, privacy violations, or huge price tags

I’m unaware of any Mastodon instances that inject advertisements into the timeline✪✪It’s only a matter of time, IMHO., but regardless you can just choose one that isn’t.

Similarly, plenty of Mastodon servers have well-defined and respectable Privacy Policies.

Disqus, Viafoura, and OpenWeb all either have super-high “Call for a Quote” pricing, show adverts, or both. The industry also doesn’t have the best track record when it comes to privacy.

While most are, not all Mastodon instances are free to join. The instance I’m active on requires a $50 CAD/year contribution. That has to be cheaper than “Call for a Quote” pricing, though.

Anywho, I have no desire to patronize any of the above companies. Of course some folks might say that I can side-step all these issues by self-hosting an open-source comment system. This bring me to my next point:

No need to self-host

I suck at deploying things. I suck even more at keeping things deployed and reliable.

So of course, while self-hosted commenting systems like Isso, Commento, and many, many more side-step the problems of Disqus & friends, they require you deploy them. I don’t have time for that, and even if I did, I’d probably DROP the database regularly.

Interestingly, Commento has a paid hosted offering, which looks compelling, but it’s double the cost of my CoSocial.ca membership, so I’ll just stick with this.

Unifying the conversation with open protocols

I think this is probably the coolest aspect of Mastodon-powered comments.

When something posts a link to a blog post on Reddit, there’s likely an interesting conversation going on there. But there’s often another interesting conversation going on the blog post’s comment section. This is true of Twitter and Facebook and pretty much all social media.

So many times I’ve seen questions posed by Reddit comments answered in the Blog’s comment section, and vice-versa. Things truly would make a whole lot more sense if we could just have one big conversation.

ActivityPub, the protocol that Mastodon runs on, does this really well. It means that any software (not just Mastodon) that speaks the protocol can read or write comments to my blog post. That’s pretty rad.

Up until Reddit, Facebook, and Twitter mothballed their APIs, you could have possibly done similar to what folks do with Mastodon for comments. The thing is, a CEO can’t turn off Mastodon’s API because they’re transitioning from their Embrace phase to their Extinguish arc.

Other than Mastodon and the Fediverse, the only online community I’m active on is HackerNews✪✪Forgive me this sin. This is my vice, I’ve heard it’s a marginally more healthy habit than smoking.. You can actually add HN comments to your blog posts in a similar manner to adding Mastodon comments. While it’s tempting, it’s really hard to pass on the promise of open protocols like ActivityPub for me.

Cons

Requires a Mastodon account

In my opinion, by-far the largest barrier to joining Mastodon is making an account. It’s not evident to everyone that they need to pick an instance, and that they can change instances easily should they come not to like it.

So this will definitely stop some people from being able to comment, and that does suck.

Does not degrade very gracefully

I try as much as I can with this blog for it to degrade gracefully. Graceful degradation is the idea that websites should still be as useful as possible if a users browser doesn’t support some features.

Here, we depend on Javascript to display the comments. Without it, the comments won’t be shown on the page. This is in contrast to how dynamic sites like Wordpress of Moveable Type send comments as part of the page request.

This con is true of all the Disqus-like comment sections.

While I link to the Mastodon post if you block Javascript or your browser doesn’t support it, you’ll need Javascript to see that page too, so we’re out of luck.

The best you can hope for is that most people block Javascript on untrusted sites, and that they have a Mastodon server they can trust to view the post.

Not ActivityPub native

This is a microscopic nit, but something feel wrong about depending on the Mastodon API for something that really shouldn’t be Mastodon specific. It would be way cooler to use a JS library that speaks ActivityPub and use that to fetch replies.

Yes, I tried writing something using ActivityPub, but I quickly lost steam. I’m already shaving too many yaks. Maybe I’ll wait for when @evan@cosocial.ca’s new ActivityPub book to come out to give it another shot.

Readership privacy concerns

Using Mastodon to power our comments means that every time someone visits the blog post, the user’s browser makes a request to your Mastodon instance.

If your Mastodon instance was so inclined, they could track users across all the blogs that use them for comments à la Disqus.

Now, I trust my instance✪✪Especially due to it’s cooperative business structure, meaning that it is jointly owned and democratically run by its users., but I rather not ask my visitors (all 2 of them) to do so. Ideally I’d proxy these requests through my server, but it’s yaks all the way down.

On potential XSS risk

File this under ultra-paranoid.

All the tutorials for adding Mastodon-powered comments I linked to make an AJAX call to a Mastodon server. What’s returned to us is a JSON payload with post replies. Each reply is marked-up in HTML, which we then add to the DOM using Javascript.

Now, generally speaking it’s a bad idea to inject HTML you fetched over the internet from a third party into your webpage, lest you fall victim to an XSS attack. Luckily there are three layers of security.

1. Mastodon servers sanitize HTML
2. The data is fetched over HTTPS
3. The script on our blog sanitizes HTML

Mastodon has an allowlist of HTML tags and attributes. That said, you need to trust that the server is, intentionally or unintentionally, serving you safe HTML.

Even if the Mastodon server is giving us safe HTML, we need to make sure that it isn’t altered in-flight by a bad actor. Luckily, as long as your Mastodon instance serves content over HTTPS with a valid certificate, we needn’t worry.

Our final layer of defence is that we sanitize the HTML client-side. Mr. Martínez’s post I linked earlier, as well as pretty much all of the posts I’ve read on Mastodon comments, sanitize all the HTML using the DOMPurify library.

The only changes I’ve made to Mr. Martínez’s script is to:

1. Configure DOMPurify to limit the HTML tags we accept to p, span, a, details, br and the attributes rel and href.
2. Strip tags and encode all special characters in everything but the body text.

For the last list item, I betray how little Javascript I write day-to-day. I knicked the strip_tags and htmlentities functions from php.js, a project that implemenets PHP functions in Javascript✪✪Ok, I lied about HackerNews being my only vice..

So, while this comes at the cost of stripping custom emojis in user display names, it’s just one less thing to have to worry about.

What I’d change about my set-up

As I alluded to earlier, I’d like:

1. To use a javascript library that spoke ActivityPub natively rather than the Mastodon API
2. Proxy and cache (and sanitize?) these requests through my server.

For now, however, I’m happy with what the set-up as-is.