[Standards] LAST CALL: XEP-0363 (HTTP File Upload)

Goffi goffi at goffi.org
Thu Jun 14 07:40:21 UTC 2018


I'm developer of Salut à Toi and HTTP Upload is implemented there, here are 
my feedbacks:

> 1. Is this specification needed to fill gaps in the XMPP protocol
> stack or to clarify an existing protocol?

Well it's hard to answer. I would say no because Jingle is already doing 
that in a better way.

On the other hand, HTTP libraries are more common that Jingle libraries, 
making the implementation more easy for HTTP upload.

At the end, I don't think it's really filling a gap, but its existence make 
sense in a way.

> 2. Does the specification solve the problem stated in the introduction
> and requirements?

The problem stated in introduction is not true, it's absolutely possible to 
use Jingle to send a file to multiple resources or to make it work offline, 
we do it in SàT with a server side component.

But HTTP Upload implementation is truly easy on client dev perspective, 
supposing we have already HTTP libraries + certificate checking facilities 
in the used programming language (which is most of time true). That's the 
main interested of this XEP.

> 3. Do you plan to implement this specification in your code? If not,
> why not?

already implemented

> 4. Do you have any security concerns related to this specification?

my main concern is about file deletion. We have no way to know which files 
are already uploaded, for how long and how to delete them.

I think this specification should return the expiration date of the file, 
in the same way as it returns max-file-size in section 3 and example  4.

About user request of file deletion, this could probably be done in an 
external XEP, but it's an important missing part in my point of view. 

> 5. Is the specification accurate and clearly written?

yes, redaction is good and spec is well explained.

additional notes:

- there is no validation schema in section 11

- there is no short name


More information about the Standards mailing list