On 05/06/2008 4:33 PM, Gaston Dombiak wrote: > Hey Peter, > > XEP-4 defines a few field types. I think that we should create a new > field type for media objects so that clients could render it > appropriately.
I take that as a +1 for XEP-0221, not as a vote for defining a new field
type in XEP-0004. Or do I misunderstand you?
> I like the media element that you included in the data form. I think
> that servers may choose to include the image itself in the form field
> or provide a URI to get it.
Right, that's the idea.
> I think I would expect the completed form to include a reply to the
> media field. In this case it would include the CAPTCHA value. Another
> choice, would be to just use the media field as a read-only field and
> then have another text field where the user could enter his CAPTCHA
> value.
>
> Am I missing something here?
No, you're not. That is not clear enough in XEP-0158.
The flow is something like this (see Example 2 and Example 4).
<message from='victim.com'
to='[EMAIL PROTECTED]/zombie'
xml:lang='en'
id='F3A6292C'>
<challenge xmlns='urn:xmpp:tmp:challenge'>
<x xmlns='jabber:x:data' type='form'>
[ ... ]
<field var='ocr'>
<media xmlns='xmlns='urn:xmpp:tmp:media-element'
height='80'
width='290'>
<uri type='image/jpeg'>
http://www.victim.com/challenges/ocr.jpeg?F3A6292C
</uri>
<data xmlns='urn:xmpp:tmp:data-element'
type='image/jpeg'> ** Base64 encoded image ** </data>
</media>
</field>
[ ... ]
</x>
</challenge>
</message>
Then the reply is like this:
<iq type='set'
from='[EMAIL PROTECTED]/zombie'
to='victim.com'
xml:lang='en'
id='F3A6292C'>
<challenge xmlns='urn:xmpp:tmp:challenge'>
<x xmlns='jabber:x:data' type='submit'>
[ ... ]
<field var='ocr'><value>7nHL3</value></field>
[ ... ]
</x>
</challenge>
</iq>
Now maybe this is a bit of a fudge. The "ocr" field in the challenge
form is implicitly of type "text-single" (since that is the default),
*but* it contains a media element. Now when the sender responds to the
challenge with a submitted form, he includes an "ocr" field that is of
type "text-single", but now it contains a <value/> element just like a
normal text-single field. So perhaps that is a bit sneaky, eh? What if
the submitted form includes media, too (e.g., audio recognition)? I
don't know if such a scenario is valid, but I see no reason to outlaw
media elements in submitted forms. And then how does the submitter know
if that's acceptable?
Hmm.
Peter
--
Peter Saint-Andre
https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
