HTTP Upload: improved wording in security section + reference rfc 3986

This commit is contained in:
Daniel Gultsch 2018-04-21 16:28:48 +02:00
förälder 2b7da0bf24
incheckning 987f237c47
1 ändrade filer med 19 tillägg och 8 borttagningar

Visa fil

@ -29,6 +29,17 @@
<email>daniel@gultsch.de</email>
<jid>daniel@gultsch.de</jid>
</author>
<revision>
<version>0.6.0</version>
<date>2018-04-21</date>
<initials>dg</initials>
<remark>
<ul>
<li>Handling of non ASCII characters in URL</li>
<li>Removed normative language from first paragraph of the security considerations.</li>
</ul>
</remark>
</revision>
<revision>
<version>0.5.0</version>
<date>2018-02-15</date>
@ -193,11 +204,11 @@
to='upload.montague.tld'
type='get'>
<request xmlns='urn:xmpp:http:upload:0'
filename='my-juliet.jpg'
filename='très cool.jpg'
size='23456'
content-type='image/jpeg' />
</iq>]]></example>
<p>The upload service responds with both a PUT and a GET URL wrapped by a &lt;slot&gt; element. The service SHOULD keep the file name and especially the file ending intact. Using the same hostname for PUT and GET is OPTIONAL. The host MUST provide Transport Layer Security (&rfc5246;).</p>
<p>The upload service responds with both a PUT and a GET URL wrapped by a &lt;slot&gt; element. The service SHOULD keep the file name and especially the file ending intact. Using the same hostname for PUT and GET is OPTIONAL. The host MUST provide Transport Layer Security (&rfc5246;). Both HTTPS URLs MUST adhere to &rfc3986;. Non ASCII characters MUST be percent-encoded.</p>
<p>The &lt;put&gt; element MAY also contain a number of &lt;header&gt; elements which correspond to HTTP header fields. Each &lt;header&gt; element MUST have a name-attribute and a content with the value of the header. Only the following header names are allowed: Authorization, Cookie, Expires. Other header names MUST be ignored by the requesting entity and MUST NOT be included in the HTTP request. The requesting entity MUST strip any newline characters from the header name and value before performing the HTTP request.</p>
<example caption='The upload service responds with a slot'><![CDATA[
<iq from='upload.montague.tld'
@ -205,11 +216,11 @@
to='romeo@montague.tld/garden'
type='result'>
<slot xmlns='urn:xmpp:http:upload:0'>
<put url='https://upload.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/my-juliet.jpg'>
<put url='https://upload.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/tr%C3%A8s%20cool.jpg'>
<header name='Authorization'>Basic Base64String==</header>
<header name='Cookie'>foo=bar; user=romeo</header>
</put>
<get url='https://download.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/my-juliet.jpg' />
<get url='https://download.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/tr%C3%A8s%20cool.jpg' />
</slot>
</iq>]]></example>
</section1>
@ -221,7 +232,7 @@
to='romeo@montague.tld/garden'
type='error'>
<request xmlns='urn:xmpp:http:upload:0'
filename='my-juliet.jpg'
filename='très cool.jpg'
size='23456'
content-type='image/jpeg' />
<error type='modify'>
@ -240,7 +251,7 @@
to='romeo@montague.tld/garden'
type='error'>
<request xmlns='urn:xmpp:http:upload:0'
filename='my-juliet.jpg'
filename='très cool.jpg'
size='23456'
content-type='image/jpeg' />
<error type='wait'>
@ -256,7 +267,7 @@
to='romeo@montague.tld/garden'
type='error'>
<request xmlns='urn:xmpp:http:upload:0'
filename='my-juliet.jpg'
filename='très cool.jpg'
size='23456'
content-type='image/jpeg' />
<error type='cancel'>
@ -275,7 +286,7 @@
</section1>
<section1 topic='Security Considerations' anchor='security'>
<ul>
<li>Client implementors MUST consider the fact that without additional end-to-end-encryption files uploaded to a service described in this document will store those files in plain text on that service. Client implementors SHOULD either use this only for semi public files (for example files shared in a public MUC or a PEP Avatar) or implement appropriate end-to-end encryption.</li>
<li>Implementors should keep in mind, that without additional end-to-end-encryption, files uploaded to a service described in this document may be stored in plain text. Client implementors are advised to either use this only for semi public files (for example files shared in a public MUC or a PEP Avatar) or implement appropriate end-to-end encryption.</li>
<li>Requesting entities MUST strip any newline characters from the HTTP header names and values before making the PUT request.</li>
<li>Requesting entities MUST ensure that only the headers that are explicitly allowed by this XEP (Authorization, Cookie, Expires) are copied from the slot response to the HTTP request.</li>
<li>Service implementors SHOULD use long randomized parts in their URLs making it impossible to guess the location of arbitrary files</li>