@oplik0 and I are having a discussion regarding the conditions upon which origin checking should be done on S2S activity receipt.
The spec says this:
Servers should not trust client submitted content, and federated servers also should not trust content received from a server other than the content's origin without some form of verification.
Reasonable, if a little open-ended. I took this to mean that if an Activity(Object) is received, if Object is a copy of the resource itself, that origin checking is required. This is reflected currently in the NodeBB code where if typeof object !== 'string then origin check is carried out.
Problem is, that's a code smell. It's not readily apparent why an origin check is only carried out under that condition. Compounding this is that not all activities need an origin check: Create, Update, and Delete typically don't (careful in my wording here, lest I say something way off-base).
@oplik0 advocates for a more explicit approach, where perhaps an object uri is dereferenced regardless, and an origin check is carried out if the specific Activity-Object type pair calls for it (and if the uri doesn't match).
P.S. Yes, @hrefna I know object can also be an Array... or undefined... or null... don't @ me!)
