Change OStatus URI in Webfinger "rel" property (pointing to squatted domain)

On the fediverse a discussion came up about WebFinger requests returning a URL-formatted URI, where the URL points to a domain that is taken over by some casino game website.

The URI can be seen in the Webfinger example on Mastodon docs:

  "rel": "",
  "template": "{uri}"

Though a URI need not be a dereferencable URL and the “rel” property does not indicate a URL, it is not unreasonable to expect developers from trying the link to see if useful information can found there, regarding the specification.

Entering on a squatted domain and potentially malicious site give a very bad impression. If we want to avoid this, an improvement might be, either:

  1. Use a non-URL formatted indicator i.e. a URN
  2. Use a URL at a stable location, that ideally yields documentation (@macgirvin uses and is another option)

Apart from that is the question if OStatus should still be used, or it can be entirely deprecated and replaced by an AS/AP equivalent (I have no opinion on this, and don’t know about compatibility issues this may give).

In any case, if there’s willingness to change, then a FEP can address it.


I’m building a fedi client and I’ve definitely attempted a few times to go to that URL thinking it would lead to the specification.

Outside of the fact that Mastodon’s documentation tends to fall out of date, Mastodon’s usage was the first time I’ve heard of OStatus. So it initially gave me the impression that the specification wasn’t a serious one.

1 Like

What is AS/AP? Would that involve just updating Mastodon’s documentation to use that instead?

I was thinking an ActivityPub/ActivityStreams way could either be just a different URL or URN with a terminology that is more representative of familiar terms we use.

Or, alternatively, but that would be way beyond the scope of this topic… I have heard people mention that we should not rely on Webfinger and do something more conforming to AS/AP mechanics. Though I don’t know what they have in mind, as haven’t seen that part of prior discussions.

1 Like

There are also often references to within the context header of activitypub posts. Those too should be changed, since referring to that domain no longer makes sense.


The thing is that the referenced property has now been extended in undocumented ways to follow content as well as actors. I’d vote to start fresh so we don’t have to keep explaining the complete history including the recent changes to every new fedi developer and also because I’m not certain you can even find the original specification outside


Yeah it was pretty difficult to find the true specification site. I did a search on “ostatus spec” and was directed to the following site:

Is it correct?

There was a much more complete technical doc site at one time. That document is kind of a summary. For instance the subscribe link is only described by

The user's XRD document MAY have an additional link template with Rel equal to to indicate the endpoint to use for initiating a subscription on the user's subscription server. The template should take a single argument, uri, for the account to subscribe to.

Which is not really a specification but more just a high level description.

Hmm does anybody know where the official specification is then?

For what it’s worth, the existing OStatus-related properties and fields that are returned are considered legacy and simply have not been removed yet – they most likely will be removed in the future.

For WebFinger, what really matters is the self link, which points to the ActivityPub actor. Additionally, the points to the profile page, but this can be obtained from the url property on the AP actor, so it is just saving you one layer of indirection.

I have been told at some point that ostatus:conversation will be explicitly removed from Mastodon’s @context at some point, perhaps in favor of context (undecided yet). It’s certainly not used for anything anymore. Neither is ostatus:inReplyToAtomUri.


Just wanted to make clear that “WebFinger” is NOT part of the ActivityPub specification.
It is used in mastodon but has nothing to do with ActivityPub.
For ActivityPub an URL is fine. For several reasons.
WebFinger is imho very bad in general.