Comment on The two most upvoted comments on any Lemmy instance are on Feddit.dk, but you won't see them on your own instance

<- View Parent
ShittyKopper@lemmy.blahaj.zone ⁨2⁩ ⁨months⁩ ago

Instead of sending the entire object embedded in the activity the secure way would be to only the URI instead. This is permitted by JSON-LD.

In the receiving side, if the object is untrusted (i.e. if it isn’t signed or if it’s from a separate authority from the parent object containing it) it should be thrown away and the id should be fetched from the remote instance directly. This is completely an oversight on Lemmy’s implementation and not a protocol problem.

source
Sort:hotnewtop