« Home

The concept of webmention [webmention-0000]

Each web page should provide the following content (use my site dannypsnl.me as example) in

sender view [webmention-0001]

  • 2024-07-30

According to webmention spec, if someone tries to notify my site that there is a link mentions my post, she has to do the following:

  1. curl -I https://dannypsnl.me/xxx to get my webmention endpoint in the head
  2. post the data, where is the link refers to my post 
    POST /webmention-endpoint HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             Host: dannypsnl.me
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             Content-Type: application/x-www-form-urlencoded

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             source=
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             target=https://dannypsnl.me/xxx

receiver view [webmention-0002]

  • 2024-07-30

Therefore, a receiver is a POST handler. According to spec, we can

  1. return http code 201 with Location in header pointing to the status URL
  2. return http code 202 and asynchronously perform the verification
  3. return http code 200 and synchronously perform the verification (not recommended), by section 3.2.2
    Webmention verification should be handled asynchronously to prevent DoS (Denial of Service) attacks.

Verification

  • The receiver must check that source and target are valid URLs [URL] and are of schemes that are supported by the receiver. (Most commonly this means checking that the source and target schemes are http or https).
  • The receiver must reject the request if the source URL is the same as the target URL.
  • The receiver should check that target is a valid resource for which it can accept Webmentions. This check should happen synchronously to reject invalid Webmentions before more in-depth verification begins. What a "valid resource" means is up to the receiver. For example, some receivers may accept Webmentions for multiple domains, others may accept Webmentions for only the same domain the endpoint is on.
If the receiver is going to use the Webmention in some way, (displaying it as a comment on a post, incrementing a like counter, notifying the author of a post), then it must perform an HTTP GET request on source, following any HTTP redirects (and should limit the number of redirects it follows) to confirm that it actually mentions the target. The receiver should include an HTTP Accept header indicating its preference of content types that are acceptable.

Error response

If the Webmention was not successful because of something the sender did, it must return a 400 Bad Request status code and may include a description of the error in the response body.

However, hosting a receiver can be annoying, so we should build on the top of some existed tools.