[Standards] LAST CALL: XEP-0232 (Software Information)

Dave Cridland dave at cridland.net
Thu Jan 22 23:30:42 UTC 2009


On Thu Jan 22 22:45:48 2009, Joe Hildebrand wrote:
> 
> On Jan 21, 2009, at 2:31 PM, Remko Tronçon wrote:
> 
>> Shouldn't it be specified how the 'value' field should be  
>> interpreted
>> for things like 'icon' etc.? Should this be limited to http URIs? I
>> guess it is with data forms, because you can only have one string  
>> as a
>> value child?
> 
> Yes, this should be specified.
> 
> 
XEP-0221? XEP-0231?


>> Shouldn't the security considerations mention something about  
>> fetching
>> the icons OOB? (i.e. exposing unwanted information about location
>> etc., potential malicious files, ...)
> 
> Yes.  Particularly since there have been attacks against various  
> image  libraries.

New XEP suggestion: server mediated BoB resolution.

(Client asks local [trusted] server, which fetches image, checks it,  
etc).

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade



More information about the Standards mailing list