[Standards] pubsub whitelists

Peter Saint-Andre stpeter at stpeter.im
Wed Aug 22 16:30:51 UTC 2007

Peter Millard originally thought of a pubsub whitelist as the list of
entities that are subscribed to a node. However, as Joe Hildebrand and
Matt Yacobucci just pointed out to me, that introduces a security hole
quite similar to <presence type='subscribed'/> -- that is, the node
owner can now add you to the subscriber list without your permission
(introducing all sorts of wonderful spam possibilities). Joe and Matt
pointed out that the whitelist is more properly a list of entities that
are allowed to subscribe (or retrieve items) if they want to, not as the
list of subscribers. This could be managed via node configuration (e.g.,
a "pubsub#whitelist" node configuration option of type jid-multi). It
seems important to fix this before we publish version 1.10 of XEP-0060
so I will work on that here soon.


Peter Saint-Andre

More information about the Standards mailing list