<![CDATA[Question re: Origin Based Security Model (FEP-fe34)]]>I received a security vulnerability report regarding NodeBB's handling of Update and Delete activities.

tl;dr

  • NodeBB implementes FEP fe34, and treats Update and Delete activities as valid if the activity's actor and the object's attributedTo differ but the origins are identical.
  • e.g. @alice@example.org is allowed to federate Delete(Note) on @bob@example.org's Note.
  • The origin-based security model allows for moderator-style actions (third-party post editing and deletions) in the absence of explicit moderator claims.
  • The reporter disagrees that this should be allowed.

Are they right?

I responded that FEP fe34 allows for this behaviour because we do not have ready access to an instance's admin or moderator list. By conducting same-origin checks and allowing Update and Delete through for same-origin (but different identifier), we allow for moderators to federate their actions across instances.

Their response:

> I respectfully disagree that FEP-fe34 permits this behavior. Below are direct quotes from the specification that contradict your assessment.
>
> 1. ActivityPub spec (quoted in FEP-fe34 Rationale, Section 7.3 Update Activity):
>
> ▎ "The receiving server MUST take care to be sure that the Update is authorized to modify its object. At minimum, this may be done by ensuring that the Update and its object are of same origin."
>
> Note: "at minimum" means same-origin is the floor, not the ceiling. Authorization must still be verified.
>2. FEP-fe34 — Authorization > Ownership:
>
> ▎ "The actor that creates an object MUST be its owner."
> ▎ "The owner of an object is permitted to modify and delete it."
> ▎ "Update and Delete activities, and objects indicated by their object property are expected to have the same owner."
>
> "Same owner" means the same specific actor — not any actor on the same domain.

I responded back with the following:

> "The actor that creates an object MUST be its owner."
>
>
> Correct, the creator must be an owner, no impersonation allowed.
>
>
> "The owner of an object is permitted to modify and delete it."
>
>
> A strict reading of this does not preclude the ability of a same-origin moderator to modify and delete the object. This is my argument.
>
>
> "Update and Delete activities, and objects indicated by their object property are expected to have the same owner."
>
>
> Again, "expected to" does not rise to the level of MUST.
>
> I agree out of principle that the security implications exist, but if you follow through with the exploit, it requires a non-compliant server to allow users to publish Update and Delete for other users on the same instance, and even then the exposure is limited to users of that origin only (e.g. your server cannot arbitrarily delete my posts). This is the foundation of the Origin-based security model.

So we are at an impasse as to whether my strict reading of the FEP is adherent to the spirit of the FEP itself. Here's where you come in... do you agree with me, or the reporter?

Directly tagging @silverpill@mitra.social (as FEP author), @trwnh@mastodon.social and @evan@cosocial.ca (both subject matter experts) for their thoughts.

]]>https://fedi.wiki/topic/8d6cbf70-b7e5-4a82-ace1-ebab35c0acc5/question-re-origin-based-security-model-fep-fe34RSS for NodeMon, 25 May 2026 01:50:56 GMTWed, 20 May 2026 18:58:36 GMT60<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Sun, 24 May 2026 09:44:35 GMT]]>@julian I've done a review on FEP-fe34 and here's a more nuanced answer.

The same-origin assumption is necessary for authentication, because it is not possible to not trust the server of origin.

But it is not necessary for authorization. It is desirable, because that makes authorization procedures aligned with authentication procedures. But we can shift the burden of permission checks to the recipient.

We might even have to do this, if we discover that servers accepting arbitrary payloads (C2S, FEP-ae97) can't reliably enforce the isolation of actors.

But for the time being, you can accept same-origin admin deletions.

]]>https://fedi.wiki/post/https://mitra.social/objects/019e595a-fe85-7080-98d6-27c11349235ehttps://fedi.wiki/post/https://mitra.social/objects/019e595a-fe85-7080-98d6-27c11349235eSun, 24 May 2026 09:44:35 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Fri, 22 May 2026 18:17:25 GMT]]>@silverpill@mitra.social was not aware of d556. I'll make the swap, thanks.

]]>https://fedi.wiki/post/https://activitypub.space/post/1943https://fedi.wiki/post/https://activitypub.space/post/1943Fri, 22 May 2026 18:17:25 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Fri, 22 May 2026 18:14:22 GMT]]>@julian @rimu Do you want specifically FEP-2677? Please consider using FEP-d556 instead, it is very similar to FEP-2677 but doesn't require NodeInfo. Also, it is FINAL.

]]>https://fedi.wiki/post/https://mitra.social/objects/019e50e5-41e9-70b1-9b60-cfbf51ce161bhttps://fedi.wiki/post/https://mitra.social/objects/019e50e5-41e9-70b1-9b60-cfbf51ce161bFri, 22 May 2026 18:14:22 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Fri, 22 May 2026 14:53:35 GMT]]>> @nutomic@lemmy.ml said:
>
> but rejecting mod actions based on that could cause problems as I mentioned in my previous comment.

So to confirm then, you serve the moderator collection but you don't use it to determine whether an actor is able to modify/delete content on that instance, is that right?

Curious to know what those problems are.

]]>https://fedi.wiki/post/https://activitypub.space/post/1941https://fedi.wiki/post/https://activitypub.space/post/1941Fri, 22 May 2026 14:53:35 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Fri, 22 May 2026 14:44:38 GMT]]>Sorry @julian and @nutomic@lemmy.ml if this has almost nothing to do with this, but I'd like to point out that Lemmy (perhaps Piefed as well, but I'm not sure) has a very interesting feature: a community moderator can also be a user of an instance other than the one where that community is physically located.
This isn't possible with NodeBB because the API call isn't considered valid.
This means that the Lemmy development staff has managed to develop a way to somehow federate content moderation.

]]>https://fedi.wiki/post/https://activitypub.space/post/1940https://fedi.wiki/post/https://activitypub.space/post/1940Fri, 22 May 2026 14:44:38 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Fri, 22 May 2026 14:29:50 GMT]]>Yes exactly that FEP. Federating admin status would make sense for informational purposes, but rejecting mod actions based on that could cause problems as I mentioned in my previous comment.

]]>https://fedi.wiki/post/https://lemmy.ml/comment/25815344https://fedi.wiki/post/https://lemmy.ml/comment/25815344Fri, 22 May 2026 14:29:50 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Fri, 22 May 2026 14:17:04 GMT]]>@julian @thisismissem @technical-discussion Note that a community's attributedTo doesn't work for anything outside of communities, but a moderator can be declared for any object.

Right now, attributedTo.inbox is the last option to send your moderation activities. There are probably more relevant options to try first. The work is to identify those options and make them consistently discoverable. See "Delegated control" here: https://github.com/swicg/activitypub-trust-and-safety/issues/24#issuecomment-4365331657

]]>https://fedi.wiki/post/https://mastodon.social/users/trwnh/statuses/116618652820359902https://fedi.wiki/post/https://mastodon.social/users/trwnh/statuses/116618652820359902Fri, 22 May 2026 14:17:04 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Fri, 22 May 2026 14:14:34 GMT]]>Right, that's the "Group Moderation" section of FEP 1b12, right?

It may be a good idea to extend this concept to the instance/application actor as well. There's no urgent need to implement and consume, but it would be fairly simple thing to serve on our respective softwares I think.

]]>https://fedi.wiki/post/https://activitypub.space/post/1939https://fedi.wiki/post/https://activitypub.space/post/1939Fri, 22 May 2026 14:14:34 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Fri, 22 May 2026 12:29:14 GMT]]>Looks like this, only IDs: https://github.com/LemmyNet/lemmy/blob/main/crates/apub/apub/assets/lemmy/collections/group_moderators.json

]]>https://fedi.wiki/post/https://lemmy.ml/comment/25813532https://fedi.wiki/post/https://lemmy.ml/comment/25813532Fri, 22 May 2026 12:29:14 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Fri, 22 May 2026 12:27:53 GMT]]>Lemmy doesnt even federate admin status in any way, instead we trust that actions which are coming from the same instance as the community or post are valid. So essentially origin-based security model.

]]>https://fedi.wiki/post/https://lemmy.ml/comment/25813515https://fedi.wiki/post/https://lemmy.ml/comment/25813515Fri, 22 May 2026 12:27:53 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 23:27:12 GMT]]>It's fine, I've already adjusted the code at my end. I don't know about Lemmy though.

]]>https://fedi.wiki/post/https://piefed.social/comment/11431681https://fedi.wiki/post/https://piefed.social/comment/11431681Thu, 21 May 2026 23:27:12 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 23:24:48 GMT]]>> @rimu@piefed.social said:
>
> I think NodeBB has an array of actor objects though

Is this causing problems for you? I can send just the IDs instead.

]]>https://fedi.wiki/post/https://activitypub.space/post/1938https://fedi.wiki/post/https://activitypub.space/post/1938Thu, 21 May 2026 23:24:48 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 23:00:19 GMT]]>That sounds fine to me.

On communities the moderators are just an array of strings which are the activitypub actor IDs of the mods. I think NodeBB has an array of actor objects though?

Anyway whatever it is, consistency with how the communities do it would be nice.

]]>https://fedi.wiki/post/https://piefed.social/comment/11431449https://fedi.wiki/post/https://piefed.social/comment/11431449Thu, 21 May 2026 23:00:19 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 22:57:48 GMT]]>> @rimu@piefed.social said:
>
> Getting a list of instance admins requires calling the Lemmy API, unfortunately.

Wait, why don't we write a mini FEP to extend this? attributedTo on the instance/application actor?

]]>https://fedi.wiki/post/https://activitypub.space/post/1936https://fedi.wiki/post/https://activitypub.space/post/1936Thu, 21 May 2026 22:57:48 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 22:41:56 GMT]]>Yes.

This is easy in FEP 1b12-land because each community has a list of moderators so receiving instances know who to allow.

Getting a list of instance admins requires calling the Lemmy API, unfortunately. So PieFed has a cron job that does that once per day for all instances. Admins rarely change.

]]>https://fedi.wiki/post/https://piefed.social/comment/11431248https://fedi.wiki/post/https://piefed.social/comment/11431248Thu, 21 May 2026 22:41:56 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 22:34:23 GMT]]>@nutomic@lemmy.ml @rimu@piefed.social @bent0_b0x@norden.social — do y'all send Delete activities with the moderator actor?

(Announce wrapping aside.)

]]>https://fedi.wiki/post/https://activitypub.space/post/1935https://fedi.wiki/post/https://activitypub.space/post/1935Thu, 21 May 2026 22:34:23 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 22:32:58 GMT]]>@thisismissem hmm, I believe Lemmy and Piefed send cross actor Deletes, but they might be Announces by the group actor.

They (and I) don't use moderatedBy but rather the group actor's attributedTo

Just want to make sure you're aware of that existing prior art.

]]>https://fedi.wiki/post/https://activitypub.space/post/1934https://fedi.wiki/post/https://activitypub.space/post/1934Thu, 21 May 2026 22:32:58 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 22:29:15 GMT]]>@Profpatsch @julian i've been doing some trust and safety TF work to explore/develop a bidirectional link between actors and moderators/hosts, yeah. mostly in the context of "where to send moderation related activities" (so you don't Flag a user to themselves if there's a better option), but also could be used for authorizing Update/Delete activities.

alternatively, the problem would not be there if service actors messaged each other for more explicit syndication...

]]>https://fedi.wiki/post/https://mastodon.social/users/trwnh/statuses/116614925899038497https://fedi.wiki/post/https://mastodon.social/users/trwnh/statuses/116614925899038497Thu, 21 May 2026 22:29:15 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 21:16:26 GMT]]>Well, yeah, that's why I linked what T&S is doing here to fix the moderator use case. At present I don't know of anyone sending cross-actor delete/update actions, so we'd be adding capability with the moderatedBy

]]>https://fedi.wiki/post/https://activitypub.space/post/1933https://fedi.wiki/post/https://activitypub.space/post/1933Thu, 21 May 2026 21:16:26 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 21:04:59 GMT]]>@thisismissem Yes, agreed. However in the absence of any widespread consensus on how exactly to do that, the current origin-based security model is all we've got.

Open to working on standardizing that though <img class="not-responsive emoji" src="https://activitypub.space/assets/plugins/nodebb-plugin-emoji/emoji/android/1f61b.png?v=f187f9278b7" title="😛" />

]]>https://fedi.wiki/post/https://activitypub.space/post/1932https://fedi.wiki/post/https://activitypub.space/post/1932Thu, 21 May 2026 21:04:59 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 21:02:05 GMT]]>@julian yeah, but the problem with the same-origin model is that you don't know who the moderator is. the actor https://social.example/joe shouldn't be able to delete https://social.example/steve's posts or issue updates. But if steve is moderatedBy https://social.example/mods, then a Delete or Update from https://social.example/mods for https://social.example/steve

So whilst you have same-origin, you actually also have same-actor and http-message-signatures indicated authenticated actor.

]]>https://fedi.wiki/post/https://activitypub.space/post/1931https://fedi.wiki/post/https://activitypub.space/post/1931Thu, 21 May 2026 21:02:05 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 19:56:49 GMT]]>@thisismissem isn't that the correct way to communicate this across the wire?

The moderator is deleting the post, not the author, so the moderator is the Delete's actor.

You could fake this by federating out an update or delete as though it came from the original author, which would be a most compatible way to do things, but it isn't necessarily right.

]]>https://fedi.wiki/post/https://activitypub.space/post/1926https://fedi.wiki/post/https://activitypub.space/post/1926Thu, 21 May 2026 19:56:49 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 19:18:39 GMT]]>> @julian said:
>
> A strict reading of this does not preclude the ability of a same-origin moderator to modify and delete the object. This is my argument.

I think I'd ask here is why is the Delete/Update coming from the moderator, instead of from the account that posted the thing, since that account is the owner of that thing?

Edit: For the moderation use case, I believe Moderation Actors will be the answer here.

]]>https://fedi.wiki/post/https://activitypub.space/post/1925https://fedi.wiki/post/https://activitypub.space/post/1925Thu, 21 May 2026 19:18:39 GMT<![CDATA[Reply to Question re: Origin Based Security Model (FEP-fe34) on Thu, 21 May 2026 18:36:38 GMT]]>@trwnh @julian I would be more comfortable with there being a way of the serving server explicitly saying "this actor is allowed to moderate"

]]>https://fedi.wiki/post/https://mastodon.xyz/users/Profpatsch/statuses/116614011188909720https://fedi.wiki/post/https://mastodon.xyz/users/Profpatsch/statuses/116614011188909720Thu, 21 May 2026 18:36:38 GMT