I updated FEP-fe34 (origin-based security model):
https://codeberg.org/fediverse/fep/pulls/653
The "Authentication" section is fully rewritten. I moved requirements from the "Assumptions" section to sections describing related authentication methods.
Besides that, there is a major change in how embedded objects are treated. Previously, the same-origin policy was recommended. In the new version, embedded objects shouldn't be trusted except for 3 cases:
- The object of a Create activity.
- Embedded object identified by a fragment.
- Embedded anonymous object.
It is difficult for a server to guarantee authenticity of an embedded object that was published using C2S API. Such object can be embedded somewhere deep in the object graph, and verifying embedded objects at all levels is not practical.
The previous recommendation was only appropriate for a network where servers don't implement C2S API.