2020-11-19 UTC
# [Simon_Willison] Oh I think I've spotted a spec confusion: "The resulting profile URL MAY be different from the canonical profile URL as resolved by the client, but MUST be on the same domain." - that's a security issue right? The problem is that the final JSON returned by the profile URL response https://indieauth.spec.indieweb.org/#profile-url-response could have anything in the "me" field - it's up to my client implementation to verify that the "me"