Email or username:

Password:

Forgot your password?
28 comments
Evan Prodromou

@dansup that www. is going to be a problem. I hope they clean that up.

Григорий Клюшников

Evan, that, and they don't even have /.well-known/host-meta set up to properly redirect it.

top.ofthe.top

> > that, and they don't even have /.well-known/host-meta set up to properly redirect it.

I don't think www will cause problems, their webfinger works, request to https://threads.net/.well-known/webfinger?resource=acct:mosseri@threads.net returns {"subject":"acct:mosseri@threads.net","links":[{"href":"https://www.threads.net/ap/users/mosseri/","rel":"self","type":"application/activity+json"}]}

.
Evan Prodromou

@top @dansup @grishka

WebFinger lets us take an ID like name@domain.example and get an actor endpoint https://domain.example/some/path/to/idnumber.jsonld . The format of the actor endpoint is implementation-dependent, so the WebFinger lets us have a nice little ID that is easily recognizable.

Evan Prodromou

@grishka The problem (?) is that I could configure my WebFinger server to point to someone else's actor endpoint, which would be misleading. So if evan@domain.example points to https://whitehouse.example/users/potus, it would make it seem like evan@domain.example is the right shortcut for getting to the President of the United States's ActivityPub endpoint. (It will happen.) It's not *that* big a deal, but it's a little bit of a problem.

Evan Prodromou

@grishka What we need is a way for the AP descriptor to say, "these are valid Webfinger strings to use for this account." There's not a way to do that in the AP standard (yet; I'm going to start working on a FEP for it).

Evan Prodromou

@grishka The way Mastodon hacked around this, and other implementations have copied, was by taking another element of the actor, `preferredUsername`, and the domain part of the actor endpoint, and making a Webfinger id out of those two. So, in the above example, it'd make a Webfinger ID out of potus@whitehouse.example.

Evan Prodromou

@grishka It then does the Webfinger lookup again with that new Webfinger ID, and checks that it points to the right Actor endpoint. It then stores this webfinger ID as the right one to use for this actor from now on.

Evan Prodromou

@grishka So, the problem I'm seeing with threads is that its webfinger IDs are on the threads.net domain, like mosseri@threads.net. But the actor endpoints are on the www dot threads.net domain (I typed that out because threads keeps eliding out the www), so all the services are going through the dance I described above, and ending up with "corrected" Webfinger IDs like mosseri@www.threads.net.

Evan Prodromou

@grishka In general, we just want to use the bare domain name if at all possible, at least for the actor endpoint.

top.ofthe.top

Most activitypub implementations rely on webfinger anyway and I see that threads.net's webfinger solves the problem by returning proper URI even if I mistakely request mosseri@www.threads.net.

But www subdomain is desirable for cookies isolation in cases when site has multiple other subdomains for different purposes.

top.ofthe.top

> > Smithereen too, by the way

Their url https://www.threads.net/ap/users/mosseri/ responds me with text/html even if Accept header is application/activity+json.

Григорий Клюшников

top.ofthe.top, you need to sign your get request. I already sign mine for an unrelated reason (private groups & privacy settings), so it just worked for me.

top.ofthe.top

Yes, signing get requests helped, thanks. This also fixed federation with gotosocial, they require get requests to be signed too (I was lazy to fix it). But in case of required signature threads.net should respond with error like 401 unauthorized like gotosocial does.

Ben Pate 🤘🏻

@dansup Congrats on this!

Did Federation just work through the power of friendship and ActivityPub? Or did you have to do any extra work to make the connections go? Of you learned any lessons in getting this to interop, it would be amazing to hear what you did.

dansup

@benpate It just worked, someone from our instance followed a threads account!

Ben Pate 🤘🏻

@dansup Thats awesome news. Thank you for this info.

Hopefully it means that there’s not a “Threads dialect” of ActivityPub, and if I can communicate with PixelFed I shouldn’t be too far away from talking to Threads, too.

Rairii

@dansup ok, now when are you going to tick the bottom option there

the one you should have ticked already

the one labeled "Banned"

slade 🏳️‍🌈

@dansup Absolutely wild! Though it's kinda jarring to have the usernames end in @/www.threads.net and I hope they make it just threads.net in the future.

Shadow Heart

@dansup thanks for the heads up just deleted my account.

DELETED

@dansup then pixelfed must be defederated like the collaborators that embraced truth,social.

guyinahat

@dansup not better but 😃 you know, who cares. 😂

Peloria

@dansup When threads accounts interact with Pixelfed accounts, is there data leakage?
How can I protect my data or how can I prevent Meta from profiting from my activities?

Should I leave?

dansup

@peloria In the next release you will have the ability to block any server domain, like threads.net, this will prevent them from being able to view your data

Peloria

@dansup So it's an opt-out option and not so technical users are meta presented with a gift...

Go Up