not necessarily! the drawing server could be an AP C2S client, where you authorize from your actor on social.example and then go to drawing.example to generate a drawing. once you’re done, drawing.example does the following things:
- it saves/persists the image on its own domain, as
https://drawing.example/files/5CvE73Yib6... - it generates an AS2 Image on its own domain, as
https://drawing.example/FJIhGP8Jp7CMWTO5hrjIWandattributedToyou. - it lets you POST a Create for that Image to your outbox via the AP C2S API, to notify other actors that you created the drawing.
In this case, the image could have been generated as an AS2 resource on social.example instead (by omitting the id, the server running at social.example would generate one for you), but this shouldn’t be the only supported architecture. enforcing a strict same-origin check would prevent use cases where resources are hosted cross-origin.
tangential issues:
- C2S Create activity has unspecified behavior wrt assigning an ID to the inner object · Issue #438 · w3c/activitypub · GitHub
- CORS · Issue #463 · w3c/activitypub · GitHub
- Disambiguate usage of `attributedTo` · Issue #467 · w3c/activitypub · GitHub partially – in particular, having a follow-your-nose way to get from an object to its Create activity would be useful, to be able to quickly and efficiently verify the bidirectional claim.