the nip05 is failing validation
it seems that someone with access to nsa.gov is fucking with us
nostr:npub15869nfhd78frevqt6wqmeglkskzgh3sezpmeucdev0z0as0fqjvspq6qwk
and you see their responses to my notes?
Discussion
well nostr:npub1ye5ptcxfyyxl5vjvdjar2ua3f0hynkjzpx552mu5snj3qmx5pzjscpknpr if i see yellow exclamation mark it means what?
i was running my own and it was only getting that result because of missing CORS headers permitting the app to integrate them as their non-XXS output
so if i see this shit it just means fail altogether?
also, it was purple check until a bit under a month ago, then suddenly flipped to yellow exclamation mark
this had me frantic for a week until i rewrote my reverse proxy to put the right cors headers in, and mine are now pristine, as you can see.
so i can't tell what it means and this account is obviously trolling me, wdyt?
I think it means it has failed validation in some way
you should not show NIP-05s at all if they fail validation unless it’s the user’s own profile to inform them
*get out the paddle for nostr:npub1ye5ptcxfyyxl5vjvdjar2ua3f0hynkjzpx552mu5snj3qmx5pzjscpknpr *
I don't think hiding the nip05 info is a good idea. I'm not a fan of clients that hide info just because its incorrect.
noStrudel shows a bunch of different icons depending on how the nip05 failed
missing nip05 -> show nothing
failed to load ".well-known/nostr.json` due to CORS -> show orange warning
failed to load due to 404 -> show red question mark
failed to find nip05 in nostr.json -> show red question mark
found pubkey bud does not match -> show red danger icon
Added an explanation 
i knew it was the same error as mine, so the implication is that whoever they are has control of nsa.gov domain
no they don't have control over the domain. its just that noStrudel cant load the `/.well-known/nostr.json` so it cant verify if its invalid or correct
the note says "due to CORS error" not due to "could not find .well-known/nostr.json"
according to what you just said about how nostrudel shows it, it would be a red exclamation mark if they didn't have the file at the domain
https://www.nsa.gov/.well-known/nostr.json
it is a 404
CORS is a browser security thing that all browsers have nowadays. depending on the HTTP headers returned from the server it can prevent JavaScript from loading the resource.
So from noStrudels perspective it made a request to https://www.nsa.gov/.well-known/nostr.json and got nothing back. not event the status code
If you disable CORS in your browser then noStrudel is able to make the request and see that the status code is 404
This is why I added a "Request Proxy" option in the privacy settings, it acts as a fallback if the request failed due to CORS
as far I know its only possible to disable CORS in chrome using the " --disable-web-security --user-data-dir=$(mktemp -d)" command line arguments
so it should be assumed to be bogus altogether
not necessarily, there are a bunch of nip05s that are valid but noStrudel isn't able to check them due to CORS. other native clients like damus and amethyst can check them because they aren't restricted by the browser
i've put an issue up on the nips repo because i think that if it's required for web browsers it should say as much in the spec so that people deploying NIP-05 services are alerted to this issue
otherwise we are letting down web app users with the whole purpose of the thing being to impersonations and fraudulent user metadata
should add this issue to NIP-05 to point out that this feature does not work if the server hosting the content doesn't send CORS wildcard
in a way, it's correct to block JSON content this way, as it is literally javascript code