Browse Source

HTTP Upload: improved wording in security section + reference rfc 3986

Daniel Gultsch 1 year ago
parent
commit
987f237c47
1 changed files with 19 additions and 8 deletions
  1. 19
    8
      xep-0363.xml

+ 19
- 8
xep-0363.xml View File

@@ -29,6 +29,17 @@
29 29
     <email>daniel@gultsch.de</email>
30 30
     <jid>daniel@gultsch.de</jid>
31 31
   </author>
32
+  <revision>
33
+    <version>0.6.0</version>
34
+    <date>2018-04-21</date>
35
+    <initials>dg</initials>
36
+    <remark>
37
+      <ul>
38
+        <li>Handling of non ASCII characters in URL</li>
39
+        <li>Removed normative language from first paragraph of the security considerations.</li>
40
+      </ul>
41
+    </remark>
42
+  </revision>
32 43
   <revision>
33 44
     <version>0.5.0</version>
34 45
     <date>2018-02-15</date>
@@ -193,11 +204,11 @@
193 204
     to='upload.montague.tld'
194 205
     type='get'>
195 206
   <request xmlns='urn:xmpp:http:upload:0'
196
-    filename='my-juliet.jpg'
207
+    filename='très cool.jpg'
197 208
     size='23456'
198 209
     content-type='image/jpeg' />
199 210
 </iq>]]></example>
200
-  <p>The upload service responds with both a PUT and a GET URL wrapped by a &lt;slot&gt; element. The service SHOULD keep the file name and especially the file ending intact. Using the same hostname for PUT and GET is OPTIONAL. The host MUST provide Transport Layer Security (&rfc5246;).</p>
211
+  <p>The upload service responds with both a PUT and a GET URL wrapped by a &lt;slot&gt; element. The service SHOULD keep the file name and especially the file ending intact. Using the same hostname for PUT and GET is OPTIONAL. The host MUST provide Transport Layer Security (&rfc5246;). Both HTTPS URLs MUST adhere to &rfc3986;. Non ASCII characters MUST be percent-encoded.</p>
201 212
   <p>The &lt;put&gt; element MAY also contain a number of &lt;header&gt; elements which correspond to HTTP header fields. Each &lt;header&gt; element MUST have a name-attribute and a content with the value of the header. Only the following header names are allowed: Authorization, Cookie, Expires. Other header names MUST be ignored by the requesting entity and MUST NOT be included in the HTTP request. The requesting entity MUST strip any newline characters from the header name and value before performing the HTTP request.</p>
202 213
   <example caption='The upload service responds with a slot'><![CDATA[
203 214
 <iq from='upload.montague.tld'
@@ -205,11 +216,11 @@
205 216
     to='romeo@montague.tld/garden'
206 217
     type='result'>
207 218
   <slot xmlns='urn:xmpp:http:upload:0'>
208
-    <put url='https://upload.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/my-juliet.jpg'>
219
+    <put url='https://upload.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/tr%C3%A8s%20cool.jpg'>
209 220
       <header name='Authorization'>Basic Base64String==</header>
210 221
       <header name='Cookie'>foo=bar; user=romeo</header>
211 222
     </put>
212
-    <get url='https://download.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/my-juliet.jpg' />
223
+    <get url='https://download.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/tr%C3%A8s%20cool.jpg' />
213 224
   </slot>
214 225
 </iq>]]></example>
215 226
 </section1>
@@ -221,7 +232,7 @@
221 232
     to='romeo@montague.tld/garden'
222 233
     type='error'>
223 234
   <request xmlns='urn:xmpp:http:upload:0'
224
-    filename='my-juliet.jpg'
235
+    filename='très cool.jpg'
225 236
     size='23456'
226 237
     content-type='image/jpeg' />
227 238
   <error type='modify'>
@@ -240,7 +251,7 @@
240 251
     to='romeo@montague.tld/garden'
241 252
     type='error'>
242 253
   <request xmlns='urn:xmpp:http:upload:0'
243
-    filename='my-juliet.jpg'
254
+    filename='très cool.jpg'
244 255
     size='23456'
245 256
     content-type='image/jpeg' />
246 257
   <error type='wait'>
@@ -256,7 +267,7 @@
256 267
     to='romeo@montague.tld/garden'
257 268
     type='error'>
258 269
   <request xmlns='urn:xmpp:http:upload:0'
259
-     filename='my-juliet.jpg'
270
+     filename='très cool.jpg'
260 271
      size='23456'
261 272
      content-type='image/jpeg' />
262 273
   <error type='cancel'>
@@ -275,7 +286,7 @@
275 286
 </section1>
276 287
 <section1 topic='Security Considerations' anchor='security'>
277 288
   <ul>
278
-  <li>Client implementors MUST consider the fact that without additional end-to-end-encryption files uploaded to a service described in this document will store those files in plain text on that service. Client implementors SHOULD either use this only for semi public files (for example files shared in a public MUC or a PEP Avatar) or implement appropriate end-to-end encryption.</li>
289
+  <li>Implementors should keep in mind, that without additional end-to-end-encryption, files uploaded to a service described in this document may be stored in plain text. Client implementors are advised to either use this only for semi public files (for example files shared in a public MUC or a PEP Avatar) or implement appropriate end-to-end encryption.</li>
279 290
   <li>Requesting entities MUST strip any newline characters from the HTTP header names and values before making the PUT request.</li>
280 291
   <li>Requesting entities MUST ensure that only the headers that are explicitly allowed by this XEP (Authorization, Cookie, Expires) are copied from the slot response to the HTTP request.</li>
281 292
   <li>Service implementors SHOULD use long randomized parts in their URLs making it impossible to guess the location of arbitrary files</li>

Loading…
Cancel
Save