[standards-jig] Version 0.5 of JEP-0045
jabber at dsutton.legend.uk.com
Tue Sep 24 06:15:48 UTC 2002
On Mon, Sep 23, 2002 at 11:55:25PM -0500, Peter Saint-Andre wrote:
> On Mon, 23 Sep 2002, David Sutton wrote:
> > A room groupchat message takes the form:
> > <message from='jdev at conference.jabber.org/sender'
> > to='receiver at jabber.org' type='groupchat'><body>test</body></message>
> Actually there is a resource on the 'to' address, no? We need to
> differentiate between what the sending client sends and what the receiving
> client receives.
> The sender sends:
> <message to='jdev at conference.jabber.org'
> The receiver receives:
> <message from='jdev at conference.jabber.org/sender'
> to='receiver at jabber.org/resource'
True, a resource was missing. In essence, its what the receiver receives
which is the key to the discussion, but the clarification helps. Thanks.
> > If I send a message through the conference server to a user, and set the
> > type to be groupchat, then the client receives exactly the same message.
> > You just don't know if it was announced to the room, or whether it was
> > directed. This could make unsuspected people to start making comments in
> > response to messages they believed everyone in the room also saw. The
> > sender just turns around and says that they never sent anything, and the
> > room logs would prove that point.
> > Its an exploit in the sense of social engineering. Its easily stopped by
> > rejecting any messages received with type 'groupchat' and a resource in
> > the 'to' field.
> So the conferencing component would stop such messages when they are
> received by the component from the sender, right? I'd be fine with that.
> Would the messages be discarded or would they result in an error? I think
> discarding them is good enough.
Personally, i'd go for error because just dropping could be misconceived
as packet loss, whereas we want the sender to know we are aware of their
actions. 400, Bad Request for instance.
> Standards-JIG mailing list
> Standards-JIG at jabber.org
Email: dsutton at legend.co.uk
Jabber: peregrine at legend.net.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 232 bytes
Desc: not available
More information about the Standards