[Standards] LAST CALL: XEP-0363 (HTTP File Upload)

Ruslan N. Marchenko me at ruff.mobi
Tue Dec 12 21:49:51 UTC 2017


On 29.11.2017 20:16, Jonas Wielicki (XSF Editor) wrote:
> This message constitutes notice of a Last Call for comments on
> XEP-0363.
>
> Title: HTTP File Upload
> Abstract:
> This specification defines a protocol to request permissions from
> another entity to upload a file to a specific path on an HTTP server
> and at the same time receive a URL from which that file can later be
> downloaded again.
>
> URL: https://xmpp.org/extensions/xep-0363.html
>
> This Last Call begins today and shall end at the close of business on
> 2017-12-12.
>
> Please consider the following questions during this Last Call and send
> your feedback to the standards at xmpp.org discussion list:
>
> 1. Is this specification needed to fill gaps in the XMPP protocol
> stack or to clarify an existing protocol?
I'm not quite sure about it. Alas it works.
> 2. Does the specification solve the problem stated in the introduction
> and requirements?
That it does.
> 3. Do you plan to implement this specification in your code? If not,
> why not?
Yes, because it works already.
> 4. Do you have any security concerns related to this specification?
Yes, I don't like the approach with wide open PUT limited by certain 
high-level content constraints and (luckily) headers in the latest revision.
At least content hash (as in jingle) would be beneficial. Shall we say 
slot path element (public one) should be content hash (and hence part of 
request)?
That allows all 3 parties (sender, mediator, receiver) to verify somehow 
validity of the content. Otherwise there's possibility of the content 
injection.
> 5. Is the specification accurate and clearly written?
>
XMPP part yes. The rest is left to implementers.


More information about the Standards mailing list