25 Feb
2026
25 Feb
'26
8:55 a.m.
Hello,
- the main issue I see with this proposal is that the
sender can send fake
preview for malicious website, like sending a link to "evil.example.com" and
the preview say "it's kitties pictures". I don't think that this can
really be
avoided, but a mention of that in security considerations would be good. Maybe
the receiving client should show a small warning about that?
I think that adding a warning is fine, but maybe it should be stressed
out that there is no perfect solution, and this is most likely the most
reasonable tradeoff. Recipient-generated is a very bad idea, security
and legally-wise. Sender-generated is E2EE compatible (I mean, once we
have full stanza encryption I guess), fully in-band.
It is worth noting that one will find other more or less standard
metadata elements in web pages, like twittercards, microdata, json-ld,
and probably others. I like that the text of the XEP does not say that
link metadata does not necessarily have to map to opengraph data in the
linked page, and that generating such metadata is out of scope.
-- nicoco