p3x.deCross-origin Link headers
submitted by
julianevan@cosocial.ca question for you — is there any guidance in the spec about whether id and url for a given AP object needs to be same-origin?
js@podcastindex.social and I were recently discussing this in a related context (Link headers specifically, for HTTP discovery) and I wasn’t entirely sure whether this was a valid use-case.
@julian @js @trwnh Absolutely not! Same-origin is useful for some verification tasks but otherwise is completely orthogonal to ActivityPub.
@julian @js @trwnh there's a whole section on verification in the discovery report.
swicg.github.io/activitypub-ht
@julian @js @trwnh I think it's also important to note that having HTML Web pages, JSON API endpoints and rich media all on different domains is a pretty common mid-sized Web app deployment these days.