[Standards] XMPP Council Minutes 2018-06-20

Sam Whited sam at samwhited.com
Sun Jun 24 15:18:12 UTC 2018

On Sat, Jun 23, 2018, at 06:24, Tedd Sterr wrote:
> 3) Advance XEP-0363: HTTP File Upload
> Kev: [on-list] (without the agenda in advance, failed to look at this 
> again)
> Sam: [on-list] (still nervous about the http headers stuff being too 
> restrictive)
> Daniel: +1
> Dave: [pending]
> Georg: [pending]

A few notes on the security section:

- I wonder if it's worth either specifying that content-type sniffing by the client is not allowed, or that the X-Content-Type-Options header [1] is allowed on the server and should be respected by the client (the default on the web is to do sniffing unless it's turned off, but this is probably a good place where we can fix one of their mistakes and not allow sniffing by the server or client). Alternatively we can require that servers always send Content-Type, which seems reasonable.
- Maybe explicitly say what to do with executable content types
- We may want an overview of other common security headers that servers should set on files they server in case of use by web clients (eg. a Content-Security-Policy or Strict-Transport-Security). The specifics are probably out of scope, so this might just be mentioning that the file server may want to do other things not mentioned in this XEP and provide a link to the OWASP recommendations or MDN or somewhere.

Otherwise I'm still unsure about limiting what headers can be set and still think we need a generic way to do this. Lots of services include non-standard auth headers, for example.
That being said, I won't block for this and the security stuff can probably be tweaked later if it's actually necessary (except maybe the first one, but I leave that up to the author).



[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

More information about the Standards mailing list