Skip to content
Snippets Groups Projects

Allow user-initiated object lookups (/ap/show endpoint) to follow cross-domain redirects (resolves #820)

Merged Allow user-initiated object lookups (/ap/show endpoint) to follow cross-domain redirects (resolves #820)
fEmber/Sharkey:hazelnoot/820-allow-lookup-redirect into develop
All threads resolved!
Merged Hazelnoot requested to merge fEmber/Sharkey:hazelnoot/820-allow-lookup-redirect into develop
All threads resolved!

What does this MR do?

This loosens the restrictions in /ap/show endpoint (used by the Lookup feature) to safely allow for cross-domain redirects, which improves compatibility with split-domain setups and software with separate user-facing and network-facing object URLs. The "alternate link" implementation in ApRequestService is also extended to support additional link formats, including the one used by Mastodon. This allows a user to directly copy/paste any URL from another instance into Sharkey's Lookup box, even if they're viewing a local copy of a remote note.

Caveat: Misskey-based instances do not produce cross-origin alternate links or redirects, which is likely a bug / oversight. This prevents cross-origin links from being copied from one Sharkey instance to another instance. (but it does work in reverse - copying from a non-sharkey instance into sharkey.)

Contribution Guidelines

By submitting this merge request, you agree to follow our Contribution Guidelines

  • I agree to follow this project's Contribution Guidelines
  • I have made sure to test this merge request
Edited by Hazelnoot

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Hazelnoot added bugbackend federation labels

    added bugbackend federation labels

  • Hazelnoot changed title from Allow user-initiated object lookups (/ap/show endpoint) to follow cross-domain redirects to Allow user-initiated object lookups (/ap/show endpoint) to follow cross-domain redirects (resolves #820)

    changed title from Allow user-initiated object lookups (/ap/show endpoint) to follow cross-domain redirects to Allow user-initiated object lookups (/ap/show endpoint) to follow cross-domain redirects (resolves #820)

  • Hazelnoot changed the description

    changed the description

  • dakkar approved this merge request

    approved this merge request

  • Hazelnoot added 21 commits

    added 21 commits

    • 2d66adc8...8a087e75 - 16 commits from branch TransFem-org:develop
    • 9a7a9e34 - loosen parameter types for getApId and getNullableApId
    • 88dd36ce - narrow return type for signedGet
    • 788dc69d - use leaky bucket rate limit for ap/show
    • d831c168 - support Mastodon's version of "alternate links"
    • b92591e2 - allow ap/show to follow cross-domain redirects

    Compare with previous version

    Toggle commit list
    • dakkar
      dakkar @dakkar ·
      Developer
      Resolved by Hazelnoot

      uh, possible problem: the feature I wrote that turns previews into quotes in the frontend uses ap/show

      and that is not really user-initiated

      do we care? it means I can send you a note, containing a link to a URL I control, which can then… inject another note into your database? I don't think relaxing the domain restrictions makes anything possible that wasn't, or even easier…

  • Hazelnoot resolved all threads

    resolved all threads

  • Hazelnoot enabled an automatic merge when all merge checks for b92591e2 pass

    enabled an automatic merge when all merge checks for b92591e2 pass

  • Marie approved this merge request

    approved this merge request

  • Hazelnoot merged

    merged

  • Hazelnoot mentioned in commit 2f84d151

    mentioned in commit 2f84d151

Please register or sign in to reply