[Standards] 'from' address on roster push

Peter Saint-Andre stpeter at jabber.org
Wed Jun 27 17:50:28 CDT 2007


RFC 3921 saith:

   A server MUST ignore any 'to' address on a roster "set", and MUST
   treat any roster "set" as applying to the sender.  For added safety,
   a client SHOULD check the "from" address of a "roster push" (incoming
   IQ of type "set" containing a roster item) to ensure that it is from
   a trusted source; specifically, the stanza MUST either have no 'from'
   attribute (i.e., implicitly from the server) or have a 'from'
   attribute whose value matches the user's bare JID (of the form
   <user at domain>) or full JID (of the form <user at domain/resource>);
   otherwise, the client SHOULD ignore the "roster push".

I think it would be simpler to specify that the server MUST NOT include
a 'from' address on the roster push. The client would then need to
ignore the 'from' (not do all that checking).

So I propose the following text:

   A server MUST ignore any 'to' address on a roster set, and MUST
   treat any roster "set" as applying to the sender.  A server MUST
   NOT include a 'from' address on a roster push.  If a roster push
   includes a 'from' address then the client SHOULD ignore the stanza.

Peter

-- 
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20070627/3932e0b2/smime-0001.bin


More information about the Standards mailing list