On 29.11.2017 20:16, Jonas Wielicki (XSF Editor) wrote:
This message constitutes notice of a Last Call for comments on
XEP-0363.
Title: HTTP File Upload
Abstract:
This specification defines a protocol to request permissions from
another entity to upload a file to a specific path on an HTTP server
and at the same time receive a URL from which that file can later be
downloaded again.
URL: https://xmpp.org/extensions/xep-0363.html
This Last Call begins today and shall end at the close of business on
2017-12-12.
Please consider the following questions during this Last Call and send
your feedback to the standards@xmpp.org discussion list:
1. Is this specification needed to fill gaps in the XMPP protocol
stack or to clarify an existing protocol?
I'm not quite sure about it. Alas it works.
2. Does the specification solve the problem stated in the introduction
and requirements?
That it does.
3. Do you plan to implement this specification in your code? If not,
why not?
Yes, because it works already.
4. Do you have any security concerns related to this specification?
Yes, I don't like the approach with wide open PUT limited by certain
high-level content constraints and (luckily) headers in the latest revision.
At least content hash (as in jingle) would be beneficial. Shall we say
slot path element (public one) should be content hash (and hence part of
request)?
That allows all 3 parties (sender, mediator, receiver) to verify somehow
validity of the content. Otherwise there's possibility of the content
injection.
5. Is the specification accurate and clearly written?
XMPP part yes. The rest is left to implementers.
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
_______________________________________________
