[Standards] 'from' address on roster push
stpeter at jabber.org
Wed Jun 27 17:50:28 CDT 2007
RFC 3921 saith:
A server MUST ignore any 'to' address on a roster "set", and MUST
treat any roster "set" as applying to the sender. For added safety,
a client SHOULD check the "from" address of a "roster push" (incoming
IQ of type "set" containing a roster item) to ensure that it is from
a trusted source; specifically, the stanza MUST either have no 'from'
attribute (i.e., implicitly from the server) or have a 'from'
attribute whose value matches the user's bare JID (of the form
<user at domain>) or full JID (of the form <user at domain/resource>);
otherwise, the client SHOULD ignore the "roster push".
I think it would be simpler to specify that the server MUST NOT include
a 'from' address on the roster push. The client would then need to
ignore the 'from' (not do all that checking).
So I propose the following text:
A server MUST ignore any 'to' address on a roster set, and MUST
treat any roster "set" as applying to the sender. A server MUST
NOT include a 'from' address on a roster push. If a roster push
includes a 'from' address then the client SHOULD ignore the stanza.
XMPP Standards Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20070627/3932e0b2/smime-0001.bin
More information about the Standards