Jonathan Schleifer wrote: > Am 13.10.2008 um 19:03 schrieb Peter Saint-Andre: > >> So file bug reports with those client teams. The same goes for the other >> points you bring up. > > That's not entirely solvable by bug reports. That suggestion for iq > needs a new XEP for example.
So start writing. :P > That thing with <iq from='attacker.com'…> is also not easy to fix, as > server rely on that for caching caps. Wildfire for example relies on that. Hmm. Mostly I see that as the server's problem -- it can collect that information from its own users. If it comes across a hash that it can't gather locally, then you're right that it needs to figure out the supported features by pinging a user at "server2", presumably based on whether the user has a contact at server1. But the user's client needs to be careful about replying to such requests -- if it comes from the server associated with a contact, then there's no real problem (because the contact's server already has access to the user's presence traffic anyway). But if the disco#info request comes from a server that is totally unknown to the user's client because the user has no contacts at that domain (e.g., "attacker.com"), then the user's client needs to return a service-unavailable error. IMHO this is clear from XEP-0030, but we can add some text about it to XEP-0115 if people think that would help. Peter -- Peter Saint-Andre https://stpeter.im/
