Allow to save annotations exclusively on documents that are hosted on whitelisted domain names

[renoirb]

Comment spam could be possible

Reproduce

1. Put a document online anywhere that loads the annotator and a few similar content from the spec we want to "canonicalize"
2. Add a canonical head element <link rel="canonical" href="http://www.w3.org/2014/annotation/experiment/webaudio.html" /> to a w3 spec
3. Add a <a href="mailto:public-audio-comments@w3.org" rel="reply-to">example</a>
4. Add an annotation on the new crafted document

Annotations from the spec AND the new document will have the same annotations.

See an example on renoirboulanger.com/readme.html which has the same canonical link element points to the webaudio spec annotation experiment document.

Proposed change

• Make the system that allows to save annotation checks if the annotation system has been loaded from a whitelisted domain name

  Solution paths

Would it be close to this part in annotator.document.js, method in Document.prototype

Whitelisted domains

• w3.org
• www.w3.org
• specs.webplatform.org
• specs.webplatformstaging.org
• docs.webplatform.org
• docs.webplatformstaging.org
• www.webplatform.org
• www.webplatformstaging.org
• w3c.github.io

  Code proposal

  /**
   * Get only host part of URL
   *
   * Big thanks to @lewdev and @mc. on Stack Overflow.
   *
   * http://stackoverflow.com/questions/8498592/extract-root-domain-name-from-string#answer-23945027
   * 
   * See also at https://github.com/webplatform/fxa-content-server/compare/webplatform:master...webplatform-customizations#diff-00cafeaa0bc410b936b905693f4f46faR39
   *
   * @param {String} urlString An URL
   */
  function originHostname(urlString) {
      var urlIsSupported = typeof URL === 'function';
      if (urlIsSupported) {
        return new URL(urlString).hostname;
      }
      return urlString.split('/')[2];
  }

  function isAcceptedOriginFromUrl(urlString) {
    var tests = [];
    tests.push(/^(specs\.|docs\.|www\.|)webplatform(|staging)\.org/);
    tests.push(/^(www\.|)w3\.org/);
    tests.push(/^w3c\.github\.io/);

    for (var i = 0 ; i < tests.length ; i++ ) {
      if ( tests[i].test( originHostname( urlString ) ) ) {
        return true;
      }
    }

    return false;
  }

Resources

• JSBin sample

[renoirb]

Hey all,

I wanted to know if we will take an action to this item or if we close this.

@tilgovi you said you started an answer on the question but we didn’t talked it through.

What is your opinion on this?

Thanks

[tilgovi]

We talked it through in IRC I thought and the decision was not to concern ourselves with this since to actually do it properly we need to fetch the document server-side and somehow validate the annotation, which is very hard. If it becomes a problem we should look at solutions, but maybe not now?