🚨 ActivityPub Client and C2S Support
If you read that and you have any influence in the development of Fediverse projects please make sure the CORS headers for the following endpoints are set to \*
.
* /.well-known/webfinger (needed to fetch account information)
* /.well-known/nodeinfo (needed to get information what sofware the instance runs)
* The outbox endpoint to get posts and all referenced endpoints to be able to access public content from web
For readers the follow-up to the same toot is relevant as well. First reply is “Don’t do this”.
Inaccessible reply
Ah, that is due to the particular app that is being used, called Bovine. @[email protected] (also not directly browser-accessible) wrote:
🚨🚨🚨 DON’T! This suggestion leads to Spaghetti Architecture.
First, Client to Server specifies how to one client talks to one server. This change is about one Client (in a browser) talking to a lot of servers, breaking the Servers talk to Servers, a Client talks to the Server it’s a client of, pattern.
Second, this change allows clients (in browsers) to circumvent blocking. If you block a server domain, you don’t want the clients to fallback to getting the information directly from you.
So please, do not implement this change; and if you have this type of CORS header set, consider removing them.
Top-level toot: https://social.oberhauser.space/@obale/110058041568721745