[Standards] XHTML <img/> presence leak

Tijl Houtbeckers thoutbeckers at splendo.com
Sat Mar 3 18:31:32 UTC 2007


On Fri, 02 Mar 2007 11:54:49 +0100, Ian Paterson  
<ian.paterson at clientside.co.uk> wrote:

> Your presence would be leaked if someone sends you an XHTML <img/> for  
> which the URI points to an HTTP server that they control. If you are  
> online (or the moment you come online later) then your client will  
> request the image (perhaps just a single transparent pixel) when it  
> displays the message to you. The HTTP server simply reports the request  
> to the person who wants to discover your presence.
>
> I think a note about this would be a helpful addition to XEP-0071.  
> Perhaps clients should ask/warn their user before displaying such inline  
> images received from non-subscribers (probably including a "Don't ask me  
> again" checkbox).
>
> - Ian


The problem was known at the time XHTML was drafted if I recall, it even  
led a discussion of wether you should be able to send inband data for  
things like images inside the <message/> (Eg by using something like this:  
http://www.faqs.org/rfcs/rfc2397.html ) and whether that should be the  
encouraged way due to security problems and other things. I guess all that  
survived of that is the "Because of security concerns related to images,  
an implementation MAY choose not to show images but instead show only the  
'alt' text." line in the XEP. I guess that could be a little more clear  
indeed.

regards,
Tijl Houtbeckers




More information about the Standards mailing list