From 1ac9625eea5a33544f2424bac6de6e94ffe0a4ad Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Mon, 5 May 2025 10:37:04 -0400
Subject: [PATCH] add same-authority check between fetched note and summary url

---
 packages/backend/src/server/web/UrlPreviewService.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/backend/src/server/web/UrlPreviewService.ts b/packages/backend/src/server/web/UrlPreviewService.ts
index 4c40496305..15a4fc946f 100644
--- a/packages/backend/src/server/web/UrlPreviewService.ts
+++ b/packages/backend/src/server/web/UrlPreviewService.ts
@@ -297,7 +297,7 @@ export class UrlPreviewService {
 		// Finally, attempt a signed GET in case it's a direct link to an instance with authorized fetch.
 		const instanceActor = await this.systemAccountService.getInstanceActor();
 		const remoteObject = await this.apRequestService.signedGet(summary.url, instanceActor).catch(() => null);
-		if (remoteObject) {
+		if (remoteObject && this.apUtilityService.haveSameAuthority(remoteObject.id, summary.url)) {
 			summary.activityPub = remoteObject.id;
 			return;
 		}