Hello,

- the main issue I see with this proposal is that the sender can send fake 
preview for malicious website, like sending a link to "evil.example.com" and 
the preview say "it's kitties pictures". I don't think that this can really be 
avoided, but a mention of that in security considerations would be good. Maybe 
the receiving client should show a small warning about that?

I think that adding a warning is fine, but maybe it should be stressed out that there is no perfect solution, and this is most likely the most reasonable tradeoff. Recipient-generated is a very bad idea, security and legally-wise. Sender-generated is E2EE compatible (I mean, once we have full stanza encryption I guess), fully in-band.

It is worth noting that one will find other more or less standard metadata elements in web pages, like twittercards, microdata, json-ld, and probably others. I like that the text of the XEP does not say that link metadata does not necessarily have to map to opengraph data in the linked page, and that generating such metadata is out of scope.

-- nicoco