Add Security Considerations section

[ThisIsMissEm]

Whilst reviewing the current draft, I noticed that there wasn't a security considerations section, despite discovery absolutely having security considerations.

One example I can think of is any sort of UGC site that allows using <a> in user content, and if this can be abused. Another might be cases of redirection exhaustion when resolving discovery links. There was a note about cross-domain, which could probably be highlighted in those considerations.

[ThisIsMissEm]

It's probably also worth adding an explicit "Safety Considerations", i.e., misattribution or misdirection (e.g., pretending one thing is the same as another when it's not)

[evanp]

It's probably also worth adding an explicit "Safety Considerations", i.e., misattribution or misdirection (e.g., pretending one thing is the same as another when it's not)

There's a whole section on verification techniques.

https://swicg.github.io/activitypub-html-discovery/#verification

[evanp]

@ThisIsMissEm Security considerations is a good idea. I wonder if most of the heavy lifting is already covered in the specifications that are referenced, and we'd just need to note that, and also note any problems specific to ActivityPub.

There's a note about using <a> for content already.

https://swicg.github.io/activitypub-html-discovery/#a-element-failure

I think the point about redirection is a great one. I'm not sure about the cross-domain issue for discovery -- what does that look like?

[evanp]

I think that it's also worthwhile to note, perhaps in a "Privacy Considerations" section, that not all authors want to be discovered, and that they should have opt-out configuration options.