[Standards] LAST CALL: XEP-0224 (Attention)
Peter Saint-Andre
stpeter at stpeter.im
Wed Nov 12 15:32:28 CST 2008
Jehan wrote:
> Hi again,
>
> Jehan;4925 Wrote:
>> Hi,
>> 4. Maybe even from people authorized to send this kind of attention,
>> there should be some limit? Wouldn't it be an issue if some of my
>> contact were sending me a hundred of "attention" and if my screen would
>> keep shaking/vibrating/etc.?
>>
>
> Just to be clearer on this point. I saw it was considered in the
> "implementation notes" section (just to prevent remarks :p), but I am
> pointing it as being a security concern rather that just an
> implementation choice.
> The same way it can be a problem to get attention from unknown people
> (it could be some kind of annoying attack, maybe not really harmful, but
> still annoying); even from people you "know", or have had at least some
> contact, it can be annoying too if they overdo "attention" queries (and
> you don't always know perfectly people in your roster anyway). Hence if
> they are able to send you hundreds of attention who shock your display
> in a few lapse of time, I would consider this a security concern...
See my previous message with a revised security consideration.
> And one last point I forgot in my previous message. When it is said:
>> However, since some users might not want this feature to disturb them,
>> a client SHOULD allow the user to disable support.
>>
>
> For my own, a better advice is to have it disabled by default (then
> without advertise it at this point) and give the possibility to enable
> this support, not the opposite as proposed here. Many people may install
> a XMPP client without thinking about it and get disturbed when this
> happens the first time, especially if they don't know such feature (I
> heard some stories of people thinking their computer had an issue for
> days, until someone told them it was MSN!). This kind of feature is not
> really "major", hence should be only explicitely enabled (like an extra
> feature when you know what you are doing).
That seems reasonable. How is this text?
"Because some users might not want this feature to disturb them, a
client MUST either (1) allow the user to disable support or (2) disable
the feature by default and process attention requests only if the user
has explicitly enabled support."
/psa
More information about the Standards
mailing list