I am working on Jejune, a personal ActivityPub server that has a featureset similar to Tumblr.
As part of this, Jejune Client is an ActivityPub C2S client which runs in the browser to allow the user to manage her instance, read posts in her inbox and publish new posts to her friends.
As part of this process, I have discovered that many AP servers do not consistently provide CORS headers when fetching ActivityPub objects.
For example, SocialHome does not provide any CORS headers when fetching ActivityStreams objects, which means that posts from SocialHome users do not appear in a correctly attributed way (as we can’t fetch the attributed actor), and Mastodon only provides CORS headers when fetching actors, but not posts and activities, which causes problems with building functionality where a user may want to examine a thread.
These can be mitigated by proxying the requests through the local AP server, but I don’t think this is a good design – if I can fetch something with curl on the commandline, I believe I should be able to fetch the same content with a browser.
So, I think it may be good to document the use of CORS headers when interacting with ActivityStreams/ActivityPub objects and endpoints over HTTP. What do people think?