From 6ea48be84abdab66301a957c27dd5d84886dfb36 Mon Sep 17 00:00:00 2001
From: Julia Johannesen <julia@insertdomain.name>
Date: Sun, 22 Sep 2024 17:13:24 -0400
Subject: [PATCH] Only accept HTML `<link rel="alternate">` on success

---
 packages/backend/src/core/activitypub/ApRequestService.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/backend/src/core/activitypub/ApRequestService.ts b/packages/backend/src/core/activitypub/ApRequestService.ts
index 63871b38f9..ec06b4d9c1 100644
--- a/packages/backend/src/core/activitypub/ApRequestService.ts
+++ b/packages/backend/src/core/activitypub/ApRequestService.ts
@@ -207,7 +207,12 @@ export class ApRequestService {
 		//#region リクエスト先がhtmlかつactivity+jsonへのalternate linkタグがあるとき
 		const contentType = res.headers.get('content-type');
 
-		if ((contentType ?? '').split(';')[0].trimEnd().toLowerCase() === 'text/html' && _followAlternate === true) {
+		if (
+			res.status >= 200
+			&& res.status <= 299
+			&& (contentType ?? '').split(';')[0].trimEnd().toLowerCase() === 'text/html'
+			&& _followAlternate === true
+		) {
 			const html = await res.text();
 			const window = new Window({
 				settings: {