mirror of
https://github.com/moparisthebest/xeps
synced 2024-11-21 16:55:07 -05:00
HTTP Upload: improved wording in security section + reference rfc 3986
This commit is contained in:
parent
2b7da0bf24
commit
987f237c47
27
xep-0363.xml
27
xep-0363.xml
@ -29,6 +29,17 @@
|
|||||||
<email>daniel@gultsch.de</email>
|
<email>daniel@gultsch.de</email>
|
||||||
<jid>daniel@gultsch.de</jid>
|
<jid>daniel@gultsch.de</jid>
|
||||||
</author>
|
</author>
|
||||||
|
<revision>
|
||||||
|
<version>0.6.0</version>
|
||||||
|
<date>2018-04-21</date>
|
||||||
|
<initials>dg</initials>
|
||||||
|
<remark>
|
||||||
|
<ul>
|
||||||
|
<li>Handling of non ASCII characters in URL</li>
|
||||||
|
<li>Removed normative language from first paragraph of the security considerations.</li>
|
||||||
|
</ul>
|
||||||
|
</remark>
|
||||||
|
</revision>
|
||||||
<revision>
|
<revision>
|
||||||
<version>0.5.0</version>
|
<version>0.5.0</version>
|
||||||
<date>2018-02-15</date>
|
<date>2018-02-15</date>
|
||||||
@ -193,11 +204,11 @@
|
|||||||
to='upload.montague.tld'
|
to='upload.montague.tld'
|
||||||
type='get'>
|
type='get'>
|
||||||
<request xmlns='urn:xmpp:http:upload:0'
|
<request xmlns='urn:xmpp:http:upload:0'
|
||||||
filename='my-juliet.jpg'
|
filename='très cool.jpg'
|
||||||
size='23456'
|
size='23456'
|
||||||
content-type='image/jpeg' />
|
content-type='image/jpeg' />
|
||||||
</iq>]]></example>
|
</iq>]]></example>
|
||||||
<p>The upload service responds with both a PUT and a GET URL wrapped by a <slot> element. The service SHOULD keep the file name and especially the file ending intact. Using the same hostname for PUT and GET is OPTIONAL. The host MUST provide Transport Layer Security (&rfc5246;).</p>
|
<p>The upload service responds with both a PUT and a GET URL wrapped by a <slot> element. The service SHOULD keep the file name and especially the file ending intact. Using the same hostname for PUT and GET is OPTIONAL. The host MUST provide Transport Layer Security (&rfc5246;). Both HTTPS URLs MUST adhere to &rfc3986;. Non ASCII characters MUST be percent-encoded.</p>
|
||||||
<p>The <put> element MAY also contain a number of <header> elements which correspond to HTTP header fields. Each <header> element MUST have a name-attribute and a content with the value of the header. Only the following header names are allowed: Authorization, Cookie, Expires. Other header names MUST be ignored by the requesting entity and MUST NOT be included in the HTTP request. The requesting entity MUST strip any newline characters from the header name and value before performing the HTTP request.</p>
|
<p>The <put> element MAY also contain a number of <header> elements which correspond to HTTP header fields. Each <header> element MUST have a name-attribute and a content with the value of the header. Only the following header names are allowed: Authorization, Cookie, Expires. Other header names MUST be ignored by the requesting entity and MUST NOT be included in the HTTP request. The requesting entity MUST strip any newline characters from the header name and value before performing the HTTP request.</p>
|
||||||
<example caption='The upload service responds with a slot'><![CDATA[
|
<example caption='The upload service responds with a slot'><![CDATA[
|
||||||
<iq from='upload.montague.tld'
|
<iq from='upload.montague.tld'
|
||||||
@ -205,11 +216,11 @@
|
|||||||
to='romeo@montague.tld/garden'
|
to='romeo@montague.tld/garden'
|
||||||
type='result'>
|
type='result'>
|
||||||
<slot xmlns='urn:xmpp:http:upload:0'>
|
<slot xmlns='urn:xmpp:http:upload:0'>
|
||||||
<put url='https://upload.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/my-juliet.jpg'>
|
<put url='https://upload.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/tr%C3%A8s%20cool.jpg'>
|
||||||
<header name='Authorization'>Basic Base64String==</header>
|
<header name='Authorization'>Basic Base64String==</header>
|
||||||
<header name='Cookie'>foo=bar; user=romeo</header>
|
<header name='Cookie'>foo=bar; user=romeo</header>
|
||||||
</put>
|
</put>
|
||||||
<get url='https://download.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/my-juliet.jpg' />
|
<get url='https://download.montague.tld/4a771ac1-f0b2-4a4a-9700-f2a26fa2bb67/tr%C3%A8s%20cool.jpg' />
|
||||||
</slot>
|
</slot>
|
||||||
</iq>]]></example>
|
</iq>]]></example>
|
||||||
</section1>
|
</section1>
|
||||||
@ -221,7 +232,7 @@
|
|||||||
to='romeo@montague.tld/garden'
|
to='romeo@montague.tld/garden'
|
||||||
type='error'>
|
type='error'>
|
||||||
<request xmlns='urn:xmpp:http:upload:0'
|
<request xmlns='urn:xmpp:http:upload:0'
|
||||||
filename='my-juliet.jpg'
|
filename='très cool.jpg'
|
||||||
size='23456'
|
size='23456'
|
||||||
content-type='image/jpeg' />
|
content-type='image/jpeg' />
|
||||||
<error type='modify'>
|
<error type='modify'>
|
||||||
@ -240,7 +251,7 @@
|
|||||||
to='romeo@montague.tld/garden'
|
to='romeo@montague.tld/garden'
|
||||||
type='error'>
|
type='error'>
|
||||||
<request xmlns='urn:xmpp:http:upload:0'
|
<request xmlns='urn:xmpp:http:upload:0'
|
||||||
filename='my-juliet.jpg'
|
filename='très cool.jpg'
|
||||||
size='23456'
|
size='23456'
|
||||||
content-type='image/jpeg' />
|
content-type='image/jpeg' />
|
||||||
<error type='wait'>
|
<error type='wait'>
|
||||||
@ -256,7 +267,7 @@
|
|||||||
to='romeo@montague.tld/garden'
|
to='romeo@montague.tld/garden'
|
||||||
type='error'>
|
type='error'>
|
||||||
<request xmlns='urn:xmpp:http:upload:0'
|
<request xmlns='urn:xmpp:http:upload:0'
|
||||||
filename='my-juliet.jpg'
|
filename='très cool.jpg'
|
||||||
size='23456'
|
size='23456'
|
||||||
content-type='image/jpeg' />
|
content-type='image/jpeg' />
|
||||||
<error type='cancel'>
|
<error type='cancel'>
|
||||||
@ -275,7 +286,7 @@
|
|||||||
</section1>
|
</section1>
|
||||||
<section1 topic='Security Considerations' anchor='security'>
|
<section1 topic='Security Considerations' anchor='security'>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Client implementors MUST consider the fact that without additional end-to-end-encryption files uploaded to a service described in this document will store those files in plain text on that service. Client implementors SHOULD either use this only for semi public files (for example files shared in a public MUC or a PEP Avatar) or implement appropriate end-to-end encryption.</li>
|
<li>Implementors should keep in mind, that without additional end-to-end-encryption, files uploaded to a service described in this document may be stored in plain text. Client implementors are advised to either use this only for semi public files (for example files shared in a public MUC or a PEP Avatar) or implement appropriate end-to-end encryption.</li>
|
||||||
<li>Requesting entities MUST strip any newline characters from the HTTP header names and values before making the PUT request.</li>
|
<li>Requesting entities MUST strip any newline characters from the HTTP header names and values before making the PUT request.</li>
|
||||||
<li>Requesting entities MUST ensure that only the headers that are explicitly allowed by this XEP (Authorization, Cookie, Expires) are copied from the slot response to the HTTP request.</li>
|
<li>Requesting entities MUST ensure that only the headers that are explicitly allowed by this XEP (Authorization, Cookie, Expires) are copied from the slot response to the HTTP request.</li>
|
||||||
<li>Service implementors SHOULD use long randomized parts in their URLs making it impossible to guess the location of arbitrary files</li>
|
<li>Service implementors SHOULD use long randomized parts in their URLs making it impossible to guess the location of arbitrary files</li>
|
||||||
|
Loading…
Reference in New Issue
Block a user