Note to editor: Remove xep-file-metadata entity declared below and change all references from &xep-file-metadata; to respective &xepXXXX; to refeence file metadata element when moving to experimental.
-->
<!DOCTYPE xep SYSTEM 'xep.dtd' [
<!ENTITY xep-file-metadata "<span class='ref'><linkurl='./file-metadata.html'>File metadata element (XEP-xxxx)</link></span><note>XEP-xxxx: File metadata element <<linkurl='./file-metadata.html'>https://xmpp.org/extensions/inbox/file-metadata.html</link>>.</note>" >
<!ENTITY % ents SYSTEM 'xep.ent'>
%ents;
]>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<xep>
<header>
<title>Stateless file sharing</title>
<abstract>This specification describes a protocol for stateless asynchronous file sharing with integrity and transport flexibility. It allows clients to provide a good interoperable user experience in combination with Carbons and MAM.</abstract>
<remark>Accepted by vote of Council on 2020-11-18.</remark>
</revision>
<revision>
<version>0.0.1</version>
<date>2020-11-10</date>
<initials>lmw</initials>
<remark><p>First draft.</p></remark>
</revision>
</header>
<section1topic='Introduction'anchor='intro'>
<p>
This is a reiteration on &xep0385; with some significant changes:
</p>
<ul>
<li>No focus on media, generic for every file type.</li>
<li>No mixed content, body is used for fallback only and not to transmit additional information.</li>
<li>Using &xep-file-metadata;.</li>
<li>Using XML for structured data instead of URIs when possible, adding further extensibility (like providing proper means of sharing encrypted files on http servers).</li>
<li>Not relying on underspecified usage of &xep0372;.</li>
</ul>
</section1>
<section1topic='Requirements'anchor='reqs'>
<ul>
<li>Do not require any server components for easier deployment</li>
<li>Should work and enable a good UX in multi-user chats like &xep0045; and &xep0369;</li>
<li>Should work great together with conversation synchronization protocols like &xep0280; and &xep0313;</li>
<li>Reuse existing protocols for the actual transport of the data, i.e. &xep0234; or &xep0363;</li>
<li>Guarantee file integrity</li>
<li>Enable aggresive caching</li>
<li>Provide users with metadata, e.g. file size, file type or thumbnail, to help them decide whether or not they want to load the file</li>
<li>Support referring to third party hosting services</li>
<li>Backwards compatibility with existing, widely-deployed protocols</li>
</ul>
</section1>
<section1topic='Use cases'anchor='usecases'>
<section2topic='Sharing a file'anchor='file-sharing'>
<p>
To share a file, a user sends a message stanza including <tt><file-sharing/></tt> to the inteded recipient contact or group.
The <tt><file-sharing/></tt> element includes a <tt><file/></tt> metadata element as described in &xep-file-metadata; as well as a <tt><sources/></tt> element.
The <tt><sources/></tt> element provides one or multiple sources that the receiving client may use to obtain the file.
</p>
<examplecaption='Sharing summit.jpg with juliet@shakespeare.lit'><![CDATA[
It is RECOMMENDED that the file metadata specifies name, media-type, size and one or multiple hash elements as described in &xep0300;.
The hash elements provide end-to-end file integrity and allow efficient caching and flexible retrieval methods.
</p>
<p>
The message MAY include a suitable fallback body.
The fallback body MUST NOT include any information that is not also represented in <tt><file-sharing/></tt>.
If the <tt><sources/></tt> element includes an <tt><url-data/></tt> element that can be represented as a single URL, adding a &xep0066; x-oob reference is RECOMMENDED for compatibility.
</p>
<examplecaption='Sharing summit.jpg with juliet@shakespeare.lit with fallback'><![CDATA[
<p>If the message has an empty body, it is RECOMMENDED to add a message processing hint, see &xep0334;, to indicate the message to be stored in message stores like &xep0313;.</p>
<examplecaption='Sharing summit.jpg with juliet@shakespeare.lit without fallback'><![CDATA[
<section2topic='Receiving a file'anchor='file-receive'>
<p>
On receive of a message including a <tt><file-sharing/></tt> element, the receiving entity SHOULD lookup in a local storage, whether the file with any of the proivded hashes has already been retrieved and is available.
In that case no transfer needs to be initated and the cached file can be used instead.
</p>
<p>
If the file is not available locally, the file can be obtained by one of the sources listed in the <tt><sources/></tt> element.
If further sources have been attached (as described in <linkurl="#attach-source">Attaching a source</link>), the receiving entity may also try to obtain the file from any of those.
</p>
<p>
When the source is an <tt><url-data/></tt> element as described in &xep0103;, the receiving entity MAY obtain the file by downloading it from the specified URL.
If the URL uses HTTP or HTTPS and additional HTTP request information as specified in &xep0104; is provided, the receiving entity SHOULD use such information when obtaining the file.
When sending and receiving files using <tt><url-data/></tt>, it is RECOMMENDED to prefer secure protocols (e.g. HTTPS, FTPS).
Please read <linkurl="#security">security considerations</link> when implementing support for insecure URLs.
</p>
<p>
When the source is a <tt><jingle-pub/></tt> element as described in &xep0358;, the receiving entity MAY obtain the file using the protocol described in &xep0358;.
If a <tt><hash/></tt> is provided, the receiving entity MAY obtain the file by requesting it as described in &xep0234;.
</p>
<p>
If sources of any other type are provided, clients MAY attempt to obtain the files from such sources.
The details of obtaining such file are out of scope of this document.
</p>
<p>
If the <tt><media-type/></tt> of the shared file is such that it can be displayed inline, the receiving entity MAY display the file inline.
If no <tt><media-type/></tt> is provided or the <tt><media-type/></tt> indicates that the file can not be displayed inline, i.e. when the media type is <tt>application/octet-stream</tt>, the receiving entity SHOULD NOT display the file inline and instead offer to download it or save it on the users file system.
</p>
</section2>
<section2topic='Attaching a source'anchor='attach-source'>
<pclass='box'>TODO: The following section relies on &xep0367;, however other methods to attach information to another message like the recently proposed &xep0422; might be suitable here as well. This is to be clarified before advancing to Draft.</p>
<p>
After a user shared a file using one entity and another entity in the conversation obtained it or found it in its local storage, that entity MAY announce that the file is now available with an additional source.
This increases availability of the file in case the sender goes offline before all the intended recipients were able to fetch the file. It also allows for peer-to-peer file distribution in group chats.
</p>
<p>
The entity MUST NOT announce itself as an additional source before verifying that <em>all</em> hashes provided match the hash of the file.
If no hashes are provided, the entity SHOULD NOT announce itself as an additional source.
</p>
<p>The attaching itself is performed by sending a message including a <tt><sources></tt> element with further sources using the protocol described in &xep0367;.</p>
<p>Depending on the lifetime of the newly attached source, it may be useful to add a message processing hint, see &xep0334;, to indicate the message to be stored in message stores like &xep0313;.</p>
<examplecaption='romeo@montague.lit/resource2 attaches itself as an additional source for the file'><![CDATA[
If a <tt><hash/></tt> using any supported algorithm is provided, the receiving client SHOULD verify that the <tt><hash/></tt> of the announced file matches the obained file before presenting it to the user.
If no <tt><hash/></tt> is provided or the <tt><hash/></tt> elements provided use unsupported algorithms, receiving clients MUST ignore any attached sources from other senders and only obtain the file from the sources announced by the original sender.
If no <tt><hash/></tt> is provided or the <tt><hash/></tt> elements provided use unsupported algorithms, receiving clients MUST ignore any sources that use unsecure protocols (e.g. HTTP without TLS).
</p>
<p>
For most methods of transferring a file proposed through the <tt><sources/></tt> element, obtaining files requires revealing private information like IP addresses to the sending user or third-parties.
Sources that do not require revealing private information to untrusted entities SHOULD be preferred by receiving entitites.
Receiving entities SHOULD ask users for confirmation before obtaining a file, if doing so would require revealing private information to untrusted entities.
If the protocol that is used when obtaining the file is not secure (e.g. HTTP without TLS), this SHOULD be considered as if the protocol reveals private information.
</p>
<p>
The security considerations of &xep-file-metadata; apply.