Search for annotations any *.wikidot.com page returns all annotations for all *.wikidot.com pages

[robertknight]

trafficstars

wikidot serves wikis at http://[wiki-name].wikidot.com URLs. A search for annotations on any of these URLs returns all annotations for 'http://*.wikidot.com' pages.

Example query:

1. curl 'https://hypothes.is/api/search?uri=http%3A%2F%2Fsandbox.wikidot.com%2F'
2. Output: https://gist.github.com/robertknight/d882aef2cc9dce4fb284

Note that those annotations are all from different http://[wiki-name].wikidot.com pages.

This is happening because every wikidot page has a <link rel="alternate" href="javascript:WIKIDOT.page.listeners.editClick()" type="application/wiki"> link in the <head>.

Reported in https://hypothesis.zendesk.com/inbox/tickets/118

[nickstenning]

Ugh. Well, there are a handful of different things we should do here.

1. First, because it will fix the issue, we should ignore things that don't look like reasonable URIs when computing equivalence. That would at least include ignoring javascript: scheme URIs, and possibly extend as far as only paying attention to a limited number of valid schemes.
2. Then, optionally, we could add similar rules to the Annotator document plugin, so that we don't even try and submit such URLs, as well as in the API validation layer.

[judell]

http and https urls should be equivalent?