[Standards] Support for stickers (custom emojis)

Matthew Wild mwild1 at gmail.com
Thu Oct 17 16:22:15 UTC 2019


On Thu, 17 Oct 2019 at 16:17, Matthew Wild <mwild1 at gmail.com> wrote:
>
> On Thu, 17 Oct 2019 at 13:34, JC Brand <lists at opkode.com> wrote:
> >
> > On Thu, Oct 17, 2019 at 01:23:18PM +0200, Marvin W wrote:
> >
>
> > > - I already dislike the fact that we do HTTP requests to arbitrary servers
> > > for file transfers, as we might be leaking IP addresses in such cases.
> >
> > The file servers are usually not arbitrary but are hosted by your XMPP host.
>
> They are effectively arbitrary. When you upload you upload to your own
> host, right. But when you receive an jabber:x:oob stanza, the URL can
> be absolutely anything (HTML, 50GB JPEG, "pixel tracker").
>
> > > In the case of Converse, you are likely to get into GDPR issues when doing so
> > > without explicit user consent (and you don't want explicit user consent for
> > > every emoji).
> >
> > Why would you need user consent to show remote images?
>
> You are providing the user's IP address, user agent, etc. to a third
> party. IANAL and I'm not saying that I buy the GDPR argument in this
> case, but there *is* a case for privacy here.
>
> > Otherwise any website that has user accounts and which links to 3rd party
> > images would need user consent for each particular image.
>
> Reality check: Third-party assets (images, scripts, etc.) are exactly
> how the majority of tracking happens online today.
>
> > > There is a reason why many e-Mail-Clients don't render remote
> > > content in e-Mails...
> >
> > And that's not GDPR, right?
> >
> > AFAIK it's to avoid pixel tracking and IP address leakage.
>
> Right. There are other reasons too, including spam and many other
> categories of media (some illegal) that I don't want my device
> automatically downloading and displaying. And don't forget data usage.
>
> > > - BOB does not require the sender to provide the file referenced by the CID
> > > 0231 §2.1 says that you can send the IQ to request the bytes to "potentially
> > > some other entity". If you don't expect the sending client to provide the
> > > file, it doesn't need to cache all stickers and it doesn't need to be
> > > online.
> >
> > "some other entity" isn't terribly well defined. How do I (or the
> > recipient of my stickers) know what other entity to ask?
>
> It's part of the identifier, e.g.
> 'cid:sha1+8f35fef110ffc5df08d579a50083ff9308fb6242 at bob.xmpp.org'

Zash corrected me here. This is actually a fixed suffix and not a
location, despite the syntax. Something new every day!

That does leave your question unanswered, but not unanswerable.

Regards,
Matthew


More information about the Standards mailing list