Conversation

Notices

1. Embed this notice
   Austin Huang ❤️ (austin@mstdn.party)'s status on Saturday, 30-Mar-2024 14:26:41 JST Austin Huang ❤️

   • Tokyo Outsider (337ppm)

   @tokyo_0 But how can the instance know if you're logged into another instance? Even without the issue of cross-site cookies, it can't possibly scan every domain... (Accessing a remote post inside your instance is a different matter, as that is similar to a proxy.) So it may be necessary to block web access entirely for everyone other than local users.

   • Embed this notice
     Austin Huang ❤️ (austin@mstdn.party)'s status on Saturday, 30-Mar-2024 14:34:18 JST Austin Huang ❤️

     • Tokyo Outsider (337ppm)

     @tokyo_0 Ah. Authorized Fetch requires instances to authenticate themselves to fetch posts through ActivityPub; it's irrelevant to browsers. If you want to test Authorized Fetch, the procedure is to craft a request to fetch a user's ActivityPub outbox with only the "Accept: application/activity+json" header.

   • Embed this notice
     Steven 🥖 (steven@zeroes.ca)'s status on Saturday, 30-Mar-2024 14:34:20 JST Steven 🥖

     • Tokyo Outsider (337ppm)

     @tokyo_0 I don't think authorized fetch and the public api are related at all.

   • Embed this notice
     Steven 🥖 (steven@zeroes.ca)'s status on Saturday, 30-Mar-2024 14:36:33 JST Steven 🥖

     in reply to

     • Tokyo Outsider (337ppm)

     @tokyo_0 You block both separately, but authorized fetch works over Activity Pub, not the API.

   • Embed this notice
     Austin Huang ❤️ (austin@mstdn.party)'s status on Saturday, 30-Mar-2024 14:42:17 JST Austin Huang ❤️

     • Tokyo Outsider (337ppm)

     @tokyo_0 You can use a RSS-Bridge instance to test it. Pick an instance from https://rss-bridge.github.io/rss-bridge/General/Public_Hosts.html , search for "ActivityPub", put in someone's handle, select "don't sign" in signature type, then see if it throws out a 401. If it does, then there is Authorized Fetch; otherwise it doesn't.