[Standards] XMPP Council Minutes 2018-06-20
sam at samwhited.com
Sun Jun 24 15:18:12 UTC 2018
On Sat, Jun 23, 2018, at 06:24, Tedd Sterr wrote:
> 3) Advance XEP-0363: HTTP File Upload
> Kev: [on-list] (without the agenda in advance, failed to look at this
> Sam: [on-list] (still nervous about the http headers stuff being too
> Daniel: +1
> Dave: [pending]
> Georg: [pending]
A few notes on the security section:
- I wonder if it's worth either specifying that content-type sniffing by the client is not allowed, or that the X-Content-Type-Options header  is allowed on the server and should be respected by the client (the default on the web is to do sniffing unless it's turned off, but this is probably a good place where we can fix one of their mistakes and not allow sniffing by the server or client). Alternatively we can require that servers always send Content-Type, which seems reasonable.
- Maybe explicitly say what to do with executable content types
- We may want an overview of other common security headers that servers should set on files they server in case of use by web clients (eg. a Content-Security-Policy or Strict-Transport-Security). The specifics are probably out of scope, so this might just be mentioning that the file server may want to do other things not mentioned in this XEP and provide a link to the OWASP recommendations or MDN or somewhere.
Otherwise I'm still unsure about limiting what headers can be set and still think we need a generic way to do this. Lots of services include non-standard auth headers, for example.
That being said, I won't block for this and the security stuff can probably be tweaked later if it's actually necessary (except maybe the first one, but I leave that up to the author).
More information about the Standards