Just as whim has a block-list for sources, it should have an allow-list for targets.
If the allow list has no members, then it will happily store webmentions meant for any target -- just as it does now.
If the allow list has any members, then it will accept only webmentions whose targets match (for some definition of "match") at least one member of the list.
Two notes:
This needn't be in the database. The block-list is in the database because that way it can get JOINed into SQL queries, but that isn't a need here.
There's room to sneak in a bonus feature: Have the whim listener convert the allow-list into the contents of an Access-Control-Allow-Origin HTTP header. That is: if we can receive webmentions for these domains, then we can trust AJAXy requests from them as well. (And by extension, set that header to '*' if the list is empty.)
Just as whim has a block-list for sources, it should have an allow-list for targets.
If the allow list has no members, then it will happily store webmentions meant for any target -- just as it does now.
If the allow list has any members, then it will accept only webmentions whose targets match (for some definition of "match") at least one member of the list.
Two notes:
This needn't be in the database. The block-list is in the database because that way it can get JOINed into SQL queries, but that isn't a need here.
There's room to sneak in a bonus feature: Have the whim listener convert the allow-list into the contents of an Access-Control-Allow-Origin HTTP header. That is: if we can receive webmentions for these domains, then we can trust AJAXy requests from them as well. (And by extension, set that header to '*' if the list is empty.)