[Standards-JIG] JEP-0071: image security considerations

Peter Saint-Andre stpeter at jabber.org
Wed May 31 18:44:32 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

JEP-0071 currently reads:

***

Because of security concerns related to images, an implementation MAY
choose not to show images but instead show only the 'alt' text.

***

In the jdev room just now, Robert Quattlebaum suggested the following:

***

I think that adding "MUST" for the ability to (at least) enable/disable
remote images would be a good thing. Ideally, you'd be able to
selectively view... But you should at least have the ability to avoid
such exploits alltogether if necessary by turning it off.

***

I agree that it would be good if we say that implementations MUST let
the user disable images (e.g., via configuration option). So I would
suggest the following text:

***

Because of security concerns related to images, an implementation MAY
choose not to show images but instead show only the 'alt' text, and MUST
enable a human user to disable the showing of images.

***

Thoughts?

Peter

- --
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEfeQQNF1RSzyt3NURAsLpAKCYke0/1cDuyeZkJvW5PXUChBgGPACgs+we
uwkjiBOeKPUXYBEEaGWUKFo=
=ef9+
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060531/ddf8a27d/attachment.bin>


More information about the Standards mailing list