ActivityPub/Primer/Copying addresses between Activity and object

Section 6.2 of the ActivityPub spec states:

A mismatch between addressing of the Create activity and its object is likely to lead to confusion. As such, a server SHOULD copy any recipients of the Create activity to its object upon initial distribution, and likewise with copying recipients from the object to the wrapping Create activity.

If there are multiple objects in the Create activity (an unusual situation, see Activity Streams/Primer/Cardinality of properties) this can cause ambiguities.

Given this Create activity as an input:

{
 "type": "Create",
 "to": "example.com/baz",
 "object": [
   {
     "type": "Note",
     "to": "example.com/foo",
   },
   {
     "type": "Note",
     "to": "example.com/bar",
   }
 ]
}

Changing the order of copying could result in copying the addresses either only between each object and the activity:

{
 "type": "Create",
 "to": [
   "example.com/baz",
   "example.com/foo",
   "example.com/bar"
 ],
 "object": [
   {
     "type": "Note",
     "to": [
       "example.com/foo",
       "example.com/baz",
     ],
   },
   {
     "type": "Note",
     "to": [
       "example.com/bar",
       "example.com/baz",
     ]
   }
 ]
}

Or, if the addresses are copied from object to activity first, with this outcome:

{
 "type": "Create",
 "to": [
   "example.com/baz",
   "example.com/foo",
   "example.com/bar"
 ],
 "object": [
   {
     "type": "Note",
     "to": [
        "example.com/baz",
        "example.com/foo",
        "example.com/bar"
      ],
   },
   {
     "type": "Note",
     "to": [
        "example.com/baz",
        "example.com/bar",
        "example.com/foo"
     ],
   }
 ]
}

The best practice behaviour is to copy from activity to object first, and then the other direction. In this way, addresses do not "leak" between objects.

The downside to this strategy is that a client developer may have intended leakage between objects, resulting in a failure to deliver to all the intended addressees. However, the downside of leaking addresses is that private information may be shared with parties it was not intended to.

For clients, avoid using multiple objects in your activities, especially Create activities, and especially if they have different addressing. The chance of incorrect or unsafe behaviour on the part of servers is high.

For servers, if you receive multiple objects, use the strategy above, to limit negative outcomes.