julian, @oplik0 and I are having a discussion regarding the conditions upon which origin checking should be done on S2S activity receipt.
The spec says this:
Servers should not trust client submitted content, and federated servers also should not trust content received from a server other than the content's origin without some form of verification.
Reasonable, if a little open-ended. I took this to mean that if an
Activity(Object)
is received, ifObject
is a copy of the resource itself, that origin checking is required. This is reflected currently in the NodeBB code where iftypeof object !== 'string
then origin check is carried out.Problem is, that's a code smell. It's not readily apparent why an origin check is only carried out under that condition. Compounding this is that not all activities need an origin check:
Create
,Update
, andDelete
typically don't (careful in my wording here, lest I say something way off-base).@oplik0 advocates for a more explicit approach, where perhaps an object uri is dereferenced regardless, and an origin check is carried out if the specific
Activity-Object
type pair calls for it (and if the uri doesn't match).P.S. Yes, @hrefna I know
object
can also be an Array... or undefined... or null... don't @ me!)