@mint Okay so, I've never looked that close at how authorized fetch behaves, but I have one question, if anybody here is familiar with the behavior....
Originally, the big idea of shared inboxes was that, if you have Server A, Server B, and Server C, and a user on Server A has 1,000 followers on Server B, and 1,000 on Server C, then Server A is delivering to 2,000 people by making two /inbox requests.
My initial understanding of signed fetches is that now Server A is going to do *something* (the same thing?) to inform these other two servers that there's a status to fetch, and then Server B and Server C are now going to sign 1,000 requests each and make 1,000 HTTP requests that *have* to hit Server A's backend and cannot be cached, each?
@DutchBoomerMan @paula @kirby @PeachySummer
@mint how incredibly wasteful to provide zero actual security @DutchBoomerMan @paula @kirby @PeachySummer
@mint I've noticed a repeating pattern in the github threads for these features (the current one is a flag allowing/disallowing quoting statuses), and it's basically "oh we know this can't be enforced, but once the feature's added to every software suite, we can seek out and punish instances that make the decision to bypass it"
and we're right back where we started with, anybody *worth* hiding something from isn't going to make a huge spectacle that they've gotten it anyway, they're just going to keep quiet and let you think you're a big winner