From 6ab24de659a02797afef54fc0e401290081db536 Mon Sep 17 00:00:00 2001
From: Shlee <github@shl.ee>
Date: Mon, 2 Mar 2026 20:33:21 +1030
Subject: [PATCH] trustworthy_attribution - Bounce bad URIs (#37372)

---
 app/services/activitypub/fetch_remote_status_service.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/services/activitypub/fetch_remote_status_service.rb b/app/services/activitypub/fetch_remote_status_service.rb
index e08f82f7d9..4ef5a6571e 100644
--- a/app/services/activitypub/fetch_remote_status_service.rb
+++ b/app/services/activitypub/fetch_remote_status_service.rb
@@ -60,6 +60,7 @@ class ActivityPub::FetchRemoteStatusService < BaseService
 
   def trustworthy_attribution?(uri, attributed_to)
     return false if uri.nil? || attributed_to.nil?
+    return false if unsupported_uri_scheme?(uri) || unsupported_uri_scheme?(attributed_to)
 
     Addressable::URI.parse(uri).normalized_host.casecmp(Addressable::URI.parse(attributed_to).normalized_host).zero?
   end