On Thu Jan 22 22:45:48 2009, Joe Hildebrand wrote:
On Jan 21, 2009, at 2:31 PM, Remko Tronçon wrote:
Shouldn't it be specified how the 'value' field should be
interpreted
for things like 'icon' etc.? Should this be limited to http URIs? I
guess it is with data forms, because you can only have one string
as a
value child?
Yes, this should be specified.
XEP-0221? XEP-0231?
Shouldn't the security considerations mention something about
fetching
the icons OOB? (i.e. exposing unwanted information about location
etc., potential malicious files, ...)
Yes. Particularly since there have been attacks against various
image libraries.
New XEP suggestion: server mediated BoB resolution.
(Client asks local [trusted] server, which fetches image, checks it,
etc).
Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
