Loosen restrictions on bto and bcc to allow including them on POST to the inbox of the recipient

[evanp]

Currently, bto and bcc are required to be stripped from all delivery. It would be helpful for receiving servers to have some information about why the actor is receiving this activity; so including the bto or bcc property for that actor only would be helpful.

[evanp]

Separated out from #492 .

[evanp]

This is a normative change, and so would have to wait for a next version. I think it would be possible to consider this a backwards-compatible change, although some current AP recipients might reject incoming activities with bto or bcc as invalid. It would probably be useful to investigate this behaviour if this comes up in discussions of the next version.

[nightpool]

does anyone actually use bto and bcc? are there legitimate use-cases for them?

[ThisIsMissEm]

So it'd be something like:

Filter bto and bcc property values to actors that share the same inbox before delivery to each inbox

i.e., if I bto some actors like sally@app.social, sam@example.social, and jane@example.social and both sam and jane share an inbox (via sharedInbox) then the Activity that is sent to them would have bto of sam@example.social and jane@example.social but not sally@app.social, if each actor is using separate inboxes (not using sharedInbox) then they'd each receive bto with just their actor?