Comment by johnmaguire

Comment by johnmaguire 3 months ago

2 replies

View on Hacker News

I haven't dug into these, so apologies for the naive question, but for a multi-tenant service like WordPress.com, can you effectively limit which WordPress blogs can WebMention you? If the allowlist is formed on the domain, this seems limiting.

Perhaps more advanced URL regex can achieve more fine-grained control but I do still see advantages in pubkey auth (especially if people want to move their content.)

Still, I do find myself wishing for a lighterweight-than-ActivityPub middleground.

apitman 3 months ago

You're right, in default configurations ActivityPub definitely has an advantage here, since HTTPsigs are tied to users, not instances, which gives finer grained blocking. I'm not aware of anything like this for Webmention.

I suspect this is because WM is used far less than AP. It also grew out of a community (IndieWeb) where having your own domain is a core tenet.

I think something like Mastodon could work with WM though, since all URLs hang off of user URLs, so you could block by URL prefix, ie "block https://example.com/user1/*".

Reply View 0 replies
freosam 3 months ago

Webmention receivers can filter on whatever parts of a URL they want to. Maybe a WordPress implementation limits this to the domain? But as far as the spec goes, the receiver just gets a `source` parameter that's a URL. They can then decide to allow that (based on the domain, or any other characteristic they want) and at that point they check that URL to see if the document there contains the link that it's supposed to.

Reply View 0 replies