[standards-jig] Version 0.5 of JEP-0045
richard at dobson-i.net
Tue Sep 24 09:04:35 UTC 2002
Ah I get the point now,
So the sender sends:
<message to='jdev at conference.jabber.org/receiver'
The receiver receives:
<message from='jdev at conference.jabber.org/sender'
to='receiver at jabber.org/resource'
Which seems to be from the room so the groupchat component when bouncing the
message should either
1) send back an error:
<message from='jdev at conference.jabber.org/receiver'
to='sender at jabber.org/resource' type='error'>
<error code='400'>Bad request</error>
Problem with the error is that unless the sender specifies an id the
sender/client will not know necessarily what action it relates to.
2) Or interpret it as a message to the room and just send it to all
participants instead of just the one.
3) Change it to type "chat" on the way through.
4) Ignore the message.
----- Original Message -----
>From: "Peter Saint-Andre" <stpeter at jabber.org>
To: <standards-jig at jabber.org>
Sent: Tuesday, September 24, 2002 5:55 AM
Subject: Re: [standards-jig] Version 0.5 of JEP-0045
> On Mon, 23 Sep 2002, David Sutton wrote:
> > A room groupchat message takes the form:
> > <message from='jdev at conference.jabber.org/sender'
> > to='receiver at jabber.org' type='groupchat'><body>test</body></message>
> Actually there is a resource on the 'to' address, no? We need to
> differentiate between what the sending client sends and what the receiving
> client receives.
> The sender sends:
> <message to='jdev at conference.jabber.org'
> The receiver receives:
> <message from='jdev at conference.jabber.org/sender'
> to='receiver at jabber.org/resource'
> > If I send a message through the conference server to a user, and set the
> > type to be groupchat, then the client receives exactly the same message.
> > You just don't know if it was announced to the room, or whether it was
> > directed. This could make unsuspected people to start making comments in
> > response to messages they believed everyone in the room also saw. The
> > sender just turns around and says that they never sent anything, and the
> > room logs would prove that point.
> > Its an exploit in the sense of social engineering. Its easily stopped by
> > rejecting any messages received with type 'groupchat' and a resource in
> > the 'to' field.
> So the conferencing component would stop such messages when they are
> received by the component from the sender, right? I'd be fine with that.
> Would the messages be discarded or would they result in an error? I think
> discarding them is good enough.
> Standards-JIG mailing list
> Standards-JIG at jabber.org
More information about the Standards