Test that an actor's URI can be on a different host than their @user@host handle

[jernst]

E.g. @[email protected] resolves to https://b.example.com/otheruser.

[steve-bate]

Possibly related...

https://www.rfc-editor.org/rfc/rfc7033

If the query target contains a "host" portion (Section 3.2.2 of RFC 3986), then the host to which the WebFinger query is issued SHOULD be the same as the "host" portion of the query target, unless the client receives instructions through some out-of-band mechanism to send the query to another host.

This is SHOULD and not a MUST. I haven't seen this enforced in a Fediverse context but a related test might highlight where it is validated (other than returning 404).

[jernst]

This appears to be a MUST requirement on the client: accept it, although the server is discouraged from doing so (SHOULD).

[steve-bate]

I interpreted “the host to which the WebFinger query is issued SHOULD …” as referring to the client since the server doesn’t issue queries. The server role seems to be related to possibly sending “out-of-band” instructions, whatever that means.

[steve-bate]

Or maybe the “out-of-band” means completely outside the scope of WebFinger (not even the WF server/resource)?

[jernst]

Use case case: fallback Webfinger, similar to what Mozilla did back in the day with Persona: if you can't find a webfinger endpoint, go to a globally well-known fallback endpoint which fills in before the real site implements things (if they ever well).