[2020-05-06 18:51:48+0000] Yuri Volkov via SocialHub:
@lanodan @nightpool In order for us all to understand the case, let’s start with a usage scenario.
As I understand, we could start with this:
Client app is logged into Server1 as Actor1.
Client app receives Activity1 from Server1. Activity1 refers ( inReplyTo ) to Activity2 on Server2 by URL2 (id) of that Activity2.
Client app requests Activity2 object from its original URL2 without any authentication.
4.1. If Activity2 is publicly accessible, Server2 responses with the activity’s object.
4.2. If Activity2 is NOT publicly accessible, Server2 responses with HTTP 403 error ?!
4.2.1. Client app needs another way to get Activity2.
Are we talking about this?
Yes, exactly this, with also the thing that I don’t think we should ever fetch from a foreign server so (4.1) shouldn’t be attempted. (privacy concerns but potentially security ones as well because you could use that for essentially turning the network into a http-get botnet, which we already quite have but with few limits)