Gregory's Server@grishka The problem (?) is that I could configure my WebFinger server to point to someone else's actor endpoint, which would be misleading. So if evan@domain.example points to https://whitehouse.example/users/potus, it would make it seem like evan@domain.example is the right shortcut for getting to the President of the United States's ActivityPub endpoint. (It will happen.) It's not *that* big a deal, but it's a little bit of a problem.
|
6 comments
 @grishka The way Mastodon hacked around this, and other implementations have copied, was by taking another element of the actor, `preferredUsername`, and the domain part of the actor endpoint, and making a Webfinger id out of those two. So, in the above example, it'd make a Webfinger ID out of potus@whitehouse.example. @grishka It then does the Webfinger lookup again with that new Webfinger ID, and checks that it points to the right Actor endpoint. It then stores this webfinger ID as the right one to use for this actor from now on. @grishka So, the problem I'm seeing with threads is that its webfinger IDs are on the threads.net domain, like mosseri@threads.net. But the actor endpoints are on the www dot threads.net domain (I typed that out because threads keeps eliding out the www), so all the services are going through the dance I described above, and ending up with "corrected" Webfinger IDs like mosseri@www.threads.net. @grishka In general, we just want to use the bare domain name if at all possible, at least for the actor endpoint.  Most activitypub implementations rely on webfinger anyway and I see that threads.net's webfinger solves the problem by returning proper URI even if I mistakely request But www subdomain is desirable for cookies isolation in cases when site has multiple other subdomains for different purposes. |
@grishka What we need is a way for the AP descriptor to say, "these are valid Webfinger strings to use for this account." There's not a way to do that in the AP standard (yet; I'm going to start working on a FEP for it).