This week I've done a few additional experiments trying to use the Channel Messaging API with the idea of getting rid of the redirect flow when commenting on the web. In the end it didn't work. Apparently Safari is only able to give access to cross-origin cookies, but not other state like IndexedDB.

I then started hashing out ideas on how to implement cross-origin signing of comments by using key delegations. The main concern I have is that I don't want the additional keys start sprawling around with full power over the account, like the agent keys we currently use for hyper.media. I want session keys to be scoped for a particular target.

I haven't finished cross-origin signing, because brought up the fact that addressing comments is a pressing concern right now, which I agree with. Exposing comment URLs is surprisingly tricky, because we need to change the format of a comment blob a little bit, to include additional information.