FEP-2277 update: https://codeberg.org/fediverse/fep/pulls/708
- The Actor class now has the highest priority.
- Verification methods and public keys are treated as different classes.
This is needed because I discovered a way to bypass the same-owner check where attacker creates an ambiguous object (e.g. a Note with inbox property).
FEP-fe34 will be updated too, it will have a precise algorithm for determining the owner of an object.
FEP-fe34 update: https://codeberg.org/fediverse/fep/pulls/711
This is a follow-up to the FEP-2277 update. I added the algorithm for determining the owner of any object:
1. Run the duck typing algorithm specified in FEP-2277.
2. If the type is Link, return error.
3. If the type is neither Object nor Collection, and the object has an attributedTo property, return error.
4. If the type is Actor, return the value of the id property.
5. If the type is VerificationMethod, return the value of the controller property.
6. If the type is PublicKey, return the value of the owner property.
7. If the type is Activity, return the value of the actor property.
8. If the type is Object or Collection, return the value of the attributedTo property.
RE: https://mitra.social/objects/019a362e-7109-11ad-864a-495e4e42b12c