Home | Notifications | New Note | Local | Federated | Search | Logout
Note Detail
silverpill@silverpill@mitra.social (2026-06-11 01:39:54)
I tried to implement the "standard" ActivityPub #C2S API in Mitra.
It's an interesting exercise, but I am not sure if I'll ever enable it by default. Permitting clients to publish arbitrary JSON is equivalent to allowing them to publish unsanitized HTML. This may be acceptable if you're an admin on a single-user instance, but it is a really stupid thing to do when there are multiple users.
Although it might be possible to validate activities using strict JSON schemas, that would require a lot of work. You may as well create your own API that will have none of those issues.
FEP-ae97 API is also tricky to implement, but at least it offers a genuine advantage over regular REST APIs: nomadic identity. Also, its security is more straightforward because portable actors and objects are namespaced by DIDs.
Reply
---Replies---
Phantasm@phnt@fluffytail.org (2026-06-11 02:02:32)
@silverpill
>Although it might be possible to validate activities using strict JSON schemas, that would require a lot of work. You may as well create your own API that will have none of those issues.
This is how Pleroma does it. Posts made via C2S all go through the object validators like any other post. Problem is that due to how some things are federated, an object validator made for validating incoming federation might not be sufficient for validating objects for outgoing federation and some additional checks are needed. Which is exactly how the different permission bypasses worked, which led to C2S being disabled by default. I don't think it's worth the added work and maintenance burden.
Also have you implemented C2S Announces ;)?