On Jetpack and Auto-Activating Modules

Hopefully, this is the last time that I’ll have to answer this question.

Frankly, it’s been answered dozens of times before. Now, I’m hoping to use this as a canonical ‘Answer Link’ that I can refer people to.  I’ll keep up with comments, so if anyone would like to ask

So, why does Jetpack auto-activate features?

Well, to start off, I should probably clarify what we currently do on this. We don’t auto-activate every new module that comes in.

We never auto-activate features that affect the display or front-end of your site — or at least not unless a site administrator explicitly configures them to.

So, for example, something like Photon, which would swap all your content images to CDN-hosted versions, doesn’t auto-activate. Our comments system doesn’t auto-activate either, as that would swap out your native comment form. Our sharing buttons do, but they don’t display unless you take the time to drag down some sharing buttons to the output box under Settings > Sharing.

However, modules like Publicize, Widget Visibility, and the like — they just give you new tools that you can use, with no risk to affecting your everyday visitors. When users upgrade, we give them a notification of what just happened, and point out some new features we’ve built in that they may want to activate themselves.

One thing we’ve recently expanded on, perhaps six months ago, is a ‘plugin duplication list’, for lack of a better phrase. These aren’t plugins that have an actual code-based conflict with a module, they’re ones that may be … duplicating effort. Previously, we were just scanning for plugins that would output OG Meta Tags, and short-circuit our own provider. However, since Jetpack 2.6, which shipped in November 2013, we’re actually doing it via a filter for all modules. For example, if you’ve got Gravity Forms or Contact Form 7 installed and active, our internal Jetpack Contact Form won’t auto-activate. If you’ve got AddThis or ShareThis active, our sharing buttons module won’t even kick in.

Now, obviously, we can’t catch every single plugin that may be similar enough to one of our modules to give cause to negate auto-activation. So there’s a filter, `jetpack_get_default_modules`, that can be used in any plugin to cancel auto-activation on any module.


add_filter( 'jetpack_get_default_modules', 'my_jetpack_get_default_modules' );
function my_jetpack_get_default_modules( $modules ) {
    return array_diff( $modules, array( 'module-slug' ) );
}

But I don’t like auto-activation of new features!

Okay.

You’re totally allowed not to.

We’re going to continue using our discretion to auto-activate select modules by default, but if you’d like to turn it off permanently for yours or a client’s site, we’ve made it ridiculously easy to do.


add_filter( 'jetpack_get_default_modules', '__return_empty_array' );

That’s it.

We believe that judiciously enabling new features is a win for users, especially considering 1) how low-impact most features are when ‘active’ but not actually implemented by a site owner, 2) how awkward it is for a site owner to have to enable something twice — for example, enabling the Custom Post Formats bit, and then having to visit Settings > Writing in order to actually enable the Portfolio custom post type.

We’ve spoken to many, many users who find a default feature set convenient, and resent having to make a bunch of ‘decision points’ if they had to manually activate each and every module. Good software should run well out of the box. So we’ve set up the defaults as we have. Yes, some people disagree and are vocal about not wanting anything to auto-activate. That’s okay. We try to design for the majority, with the best user experience we can provide.

If you have clients, that you’d like to be active in the relationship with, and customize the Jetpack experience for — that’s terrific. You’re the type of people that we add bunches of filters for. We’re all about empowering you to override our decisions, we just prefer to keep the default user interface free of a thousand toggles.

Decisions, not options — no?

A sample of things to come

George Stephanis:

Press This has a much needed refresh coming. Major, major props to Stephane Daury and Michael Arestad who have cranked out the bulk of the work thus far.

Originally posted on Press This Working Group for Core:

Old and busted: blogging a web page with a picture in WordPress, through the bundled Press This bookmarklet (7 steps, 9 if you include having to select some text for a meaningful description, and in-popup scrolling):

Upcoming new hotness: blogging the same page with a picture in WordPress, through our in-development Press This tool, in bookmarklet mode (2 steps):

:D

View original

Twitter oEmbed is Leaking Data

oEmbeds are fun.  They make it easy to embed third-party content on your site, like tweets, status updates, videos, images, all sorts of stuff.

Unfortunately, to do this, third-party code gets injected into your page.  Don’t worry, this is by design, but it does mean that you should only oEmbed from reputable sites.  WordPress Core is very picky as to the providers that it chooses to accept as oEmbed sources.

Twitter is one of these oEmbed providers.  Here’s an example of an embedded tweet:

Neat, isn’t it?

Now, hover over my name.

See that little url that shows on the bottom left corner of your browser (probably)?  It probably looks just like http://twitter.com/daljo628!

Now, click it.  Don’t worry, I’ll wait.

Did the page you landed on have a bunch of extra cruft appended to the end of it?

Maybe it looked something like https://twitter.com/daljo628?original_referer=http%3A%2F%2Fstephanis.info%2F2014%2F05%2F22%2Ftwitter-oembed-is-leaking-data%2F&tw_i=469505591946129408&tw_p=tweetembed?

If you right-click and inspect the element, the URL is just what you expected! If you right-click and open in a new tab — same thing! But if you click normally and let it trigger a Javascript event, it modifies the link before your browser actually processes it.

After you’ve clicked on it normally once, you can come back and re-inspect it, to see that the URL on the link has now changed to the one with the referer data on it — they’re rewriting it inline and intentionally delaying it so when you first click, you wouldn’t realize that the data was being appended.

This can be a problem because some sites employ concealers for the referer http header (No, I didn’t misspell referrer) like href.li for example. By embedding this in a get parameter forcibly, it’s leaking data in a way very difficult to block, by taking advantage of the trust offered via accepting Twitter as an oEmbed provider.

automattic-santacruz-2013

One Year with Automattic

Well, it’s that time.

One year ago today, I started full time at Automattic.

Best. Job. Ever.

I get to work with some of the most brilliant minds I’ve ever known, all of whom, in addition to co-workers, I am proud to call my friends.

I get to contribute to open source software, and still have free time in the evenings for my family.

Each team meetup, company-wide meetup, and WordCamp I attend feels more like a family reunion than a work function.

I have the privilege of leading the team that develops Jetpack, and the ability to improve the workflow and capabilities of millions of users, every day.

For all this, to all my colleagues friends at Automattic and in the WordPress community at large, thank you.

And by the way, we’re hiring.

The ABC’s of Travel for Techies

Always Be Charging.  A mantra that I held to long before I heard it codified in a catchy A-B-C slogan.

For me, it’s about efficiency.  If I’m sitting near a power outlet, and I have a cord handy, there’s not much of a reason to not plug in.  It’s there, I’m there, let’s top off.

Think about it this way — how often do you hit the critical low battery light on your devices when traveling, and think “Gah, life would be so much easier, if only I had an extra (10 minutes|20 minutes|hour) of battery life!” — well, you can!  Just charge, even when you don’t need it.

Sure, it’s a minor inconvenience to be tethered to an outlet instead of milling about with your phone, but even that can be negated with a travel battery.  The Anker Astro line has some terrific models to pick up, normally for under $50.  With a single Micro-USB cable, I can charge my tablet, my phone, my Karma wifi hotspot, and even HP’s Chromebook 11.

In the end, it’s a hedge.  Will it be needed?  Not every time, no.  But is the minor inconvenience of charging better than a major inconvenience of your battery dying on you?  Well, that’s up to you.

Decisions

Decisions are never easy.

Even if it’s an entirely trivial matter, it’s still forcing you to do something.

And goshdarnit, I’m lazy.

I also prefer front-loading effort when possible. Ounce of prevention, pound of cure, stitch in time saving nine, and all that.

And I respect other people’s time as much as I value my own. So when I build something, I try to avoid decision points whenever possible. This results in the loss of options occasionally, but I believe a smoother user flow.

Now, occasionally power-users will want to modify functionality. Adding a decision point for all users for the sake of the minority is silly, especially when power-users can leverage other methods — filters, actions, functionality plugins that extend the first plugin — to accomplish their goals.

To each according to their needs. Typical users need a simple, smooth, classy interface. Power users need to get under the hood. Why try to make something that doesn’t work well for either by trying to serve both?

The best middle ground I’ve been able to come up with is offering a secondary ‘under the hood’ plugin that exposes a lot of filters as options. Keep it canonical and clean, but present all the options.

Ideal? Not really. Workable? Probably.

dopp-kit-contents

My Dopp Kit

Dopp Kits are wonderful things, and I highly encourage anyone who does much traveling to look into putting one together.  It easily saves me an hour or more on each trip — both on the front-end of collecting everything, as well as scrounging for anything I’ve forgotten once I arrive at my destination!

So here’s what I’ve got:

dopp-kit-contents

It’s served me well thus far, but what do you think? Am I missing anything critical?

Day One: Couch to 5k

I’m finally doing it.  I’ve meant to for a while.

This morning I started week 1 day 1 of the Couch to 5k plan.  I’ve been doing weights regularly for nearly two years now, but have been a bit lax on the aerobic side of looking after myself.

So on my way into the coworking space, I stopped at the gym, cranked up the headphones, and started running.  I’m playing around with an app right now — RunDouble — that you select the program, and it pings you at the right intervals.  My soundtrack for the run today was the album “Bad Blood” by Bastille.

Figuring Couch to 5k is a 9-week program, I’ll probably be trying to find a 5k to do some time in June or July.  As I’ve got my Daughter’s birthday, WordCamp Chicago, a family trip to Vermont, and WordCamp Seattle the four weekends in June, I’ll probably be aiming for July — which is looking much more clear.

Any suggestions for a 5k to do in the Lancaster PA area?

Reign Soundtrack

So, it’s no great secret that my taste in TV shows isn’t always the classiest. I pick fun shows that happen to catch my interest, often just to be mocked for it by my wife.

One of the shows I picked up this season is the CW’s Reign. It’s very akin to The Tudors and its ilk, but with less nudity, cursing, and safer to watch around the baby. After all, it’s on a broadcast channel.

My favorite thing about it so far is actually the soundtrack. So I’ve started compiling the songs into a Google Music playlist (I’ve given up on Spotify a bit ago).

Here it is:

https://play.google.com/music/playlist/AMaBXykQFyGaiuOQy4U2qS_vkFQa5sqWrSGhzb4rYeUr7WP7PFGYD17ZEidsr9qKt8X_-lMvErCBGvC8yzAyVHefdPop0fCN5Q==

Very acoustic-folk sort of ambiance. I really dig it, and you might too!

Here’s the sources I normally gather the track lists for each episode from:

http://www.cwtv.com/music/reign

http://www.entertainmentoutlook.com/2013/11/02/reign-season-1-soundtrack-song-list/