I don't know why, but people started following those instructions for no
apparent reason and it ended up causing a bunch of federation issues or
homegrown cron script messes.

Maybe changing the name to "another" instead of "your" domain will make
people stop doing stuff randomly.

We should probably have a separate class for this, so we can more
easily combine different technologies similar to oEmbed/OpenGraph.

I think this solves much of the "third party conversation" issues, assuming involved parties
are using modern GNU social instances.

For some reason they were written to ->object, which is incorrect as
we use the objects[] array (which usually just holds one entry though)

Also move fancyurlfix into site-wide $config['fix']['fancyurls']

TODO: getByUri should make use of this directly I guess?

Evil forms on other websites could otherwise potentially be configured
to have action="https://gnusocial.example/api/statuses/update.json" or
whatever. XHR is already blocked with CORS stuff.

Really, why do browsers allow cross domain POSTs at all? Sigh. The web.

We say the email is private data, so reasonably we shouldn't reveal it
indirectly through a hash sum: http://xmlns.com/foaf/spec/#term_mbox_sha1sum

Also, the unselect rule for DELETE was useless anyway since it would
already have been filtered out by not having true.

(the => false stuff are for when you want ALL _except_ that)

Not that I think we could break out of the directory since
we use basename, but you never know... maybe there's a unicode
bug in PHP or something.