@tesaguri I actually think checking Content-Type is a good solution.
-
@tesaguri I actually think checking
Content-Typeis a good solution. Do you disagree with FEP's recommendations?Servers MUST validate all objects received from clients. Any activity representing an action that actor is not authorized to perform MUST be rejected. Special attention needs to be paid to media uploads, because malicious actors might attempt to bypass the validation by uploading ActivityPub documents as media. As an additional protection in cases where an attacker was able to bypass the validation, consumers MUST verify that the response to a GET request contains the Content-Type header with the
application/ld+json; profile="https://www.w3.org/ns/activitystreams"orapplication/activity+jsonmedia type (see GHSA-jhrq-qvrm-qr36 for more information).The blame is on the originating server. But we also have
Content-Typeverification as an additional protection. -
R ActivityRelay shared this topic
-
@tesaguri I actually think checking
Content-Typeis a good solution. Do you disagree with FEP's recommendations?Servers MUST validate all objects received from clients. Any activity representing an action that actor is not authorized to perform MUST be rejected. Special attention needs to be paid to media uploads, because malicious actors might attempt to bypass the validation by uploading ActivityPub documents as media. As an additional protection in cases where an attacker was able to bypass the validation, consumers MUST verify that the response to a GET request contains the Content-Type header with the
application/ld+json; profile="https://www.w3.org/ns/activitystreams"orapplication/activity+jsonmedia type (see GHSA-jhrq-qvrm-qr36 for more information).The blame is on the originating server. But we also have
Content-Typeverification as an additional protection.@silverpill @tesaguri I think you already had guidance that it is best practice to serve user generated content (i.e., files uploaded by users) on a non-activitypub enabled domain?
e.g., media.domain.example when domain.example is the AP server, as to prevent against these attacks?
