From dbbd8fa95287881852f9fed7224003fd6cfd6a36 Mon Sep 17 00:00:00 2001 From: JC Brand Date: Tue, 24 Sep 2019 11:55:00 +0200 Subject: [PATCH] Update message retractions protoXEP * The MUC moderation use-case will be split out into a different XEP * Update this XEP to handle the case where a user retracts their own message * Use XEP-0422 for the retraction message * Mention in security considerations that the XEP-0421 occupant id must be checked --- inbox/message-retraction.xml | 91 +++++++++++++++++++++--------------- 1 file changed, 54 insertions(+), 37 deletions(-) diff --git a/inbox/message-retraction.xml b/inbox/message-retraction.xml index e15e7a28..00806dff 100644 --- a/inbox/message-retraction.xml +++ b/inbox/message-retraction.xml @@ -16,11 +16,22 @@ Council XMPP Core + XMPP IM + XEP-0313 + XEP-0421 + XEP-0422 message-retract &lance; + &jcbrand; + + 0.0.4 + 2019-09-25 + jcb +

Remove MUC moderation use-case which will go into a separate XEP

 + 0.0.3 2016-10-19 @@ -41,20 +52,22 @@ -

Occasionally, a &xep0045; room moderator or admin might wish to retract certain chat messages from the room history as part of an effort to address and remedy issues such as message spam, indecent language for the venue, exposing private third-party personal information, etc. However, as with any content moderation tool, the retraction request can only be considered as a hint and by itself can not prevent or undo any potential damage caused by the offending message, as clients which don't support message deletion are not obligated to enforce the deletion request and people could have seen or copied the message content already.

+

A chat participant might want to retract a message which they've already sent out, for example if they've mistakenly sent it to the wrong recipient or groupchat.

+

Due to the federated and extensible nature of XMPP it's not possible to remove a message with full certainty and a retraction can only be considered an unenforceable request for such removal. Clients which don't support message retraction are not obligated to enforce the request and people could have seen or copied the message contents already.

 -

If a client or service implements message deletion, it MUST specify the 'urn:xmpp:message-retract:0' feature in its service discovery information features as specified in &xep0030; and the Entity Capabilities profile specified in &xep0115;.

+

If a client or service implements message retraction, it MUST specify the 'urn:xmpp:message-retract:0' feature in its service discovery information features as specified in &xep0030; and the Entity Capabilities profile specified in &xep0115;.

]]> ... @@ -64,41 +77,51 @@ ]]> -

When a user indicates to the client that a sent message (or a received message for MUC room moderators) is meant to be retracted, the client will send a new message containing a <retract /> element with the "urn:xmpp:message-retract:0" namespace, with an id attribute set to the id of the message to be retracted.

- - This message contained information not meant for this room. +

Consider a situation where a user sends a message to the wrong recipient:

+ + Have not saints lips, and holy palmers too? + ]]> - - + +

The message author notices that the message was sent to the wrong recipient and indicates to their client that the message should be retracted.

+

The client sends out a retraction message which uses &xep0422; to indicate that it applies to the wrongly sent message by referring to its XEP-0359 origin ID.

+ + + + + ]]> + -

An archiving service MAY replace the contents of a retracted message with a 'tombstone' recording the fact that the message was retracted (but otherwise preserving the fact that the message did once exist in order to aid synchronizing archives). To do so, the archiving service replaces the contents of the message with a <retracted/> element qualified by the 'urn:xmpp:message-retract:0' namespace, which SHOULD include a 'by' attribute specifying the JID of the entity that sent the retraction.

+

An archiving service MAY replace a retracted message with a 'tombstone' recording the fact that the message was retracted (but otherwise preserving the fact that the message did once exist in order to aid synchronizing archives). The message gets replaced with a <retracted/> element which SHOULD include a 'by' attribute specifying the JID of the entity that sent the retraction and a 'stamp' attribute indicating the time at which the retraction took place.

+ - + + - - - - - - + + + + ]]> + -

A receiving client can choose to remove the indicated message from whatever display is used for messages, from any stored history, or choose to display the fact that a message has been removed in another way.

-

A MUC or other service that supports message retraction SHOULD prevent further distribution of the message by the service (e.g., by not replaying the message to new occupants joining the room, omitting the message from history archive requests where possible, or replacing the original message with a 'tombstone').

+

A receiving client can choose to remove the retracted message from whatever display is used for messages, from any stored history, or choose to display the fact that a message has been retracted in another way.

+

A MUC or other service that supports message retraction SHOULD prevent further distribution of the message by the service (e.g., by not replaying the message to new occupants joiningthe room, omitting the message from history archive requests where possible, or replacing the original message with a 'tombstone').

+

Some clients may have been offline while the retraction was issued. The archiving service therefore MUST store the retraction message, regardless of whether the original message is deleted or replaced with a tombstone. These clients will then become aware of the retraction as soon as they catch up with the archive.

A client MAY inform the user that a no-longer displayed message did previously exist and has been removed.

-

Clients and services MUST set the 'id' attribute on messages if they allow for message retraction.

+

Clients MUST set the XEP-0359 'origin id' attribute on sent messages to make them suitable for message retraction.

The Sender MUST NOT send a retraction request for a message with non-messaging payloads. For example, a sender MUST NOT send a retraction for a roster item exchange request or a file transfer part.

-

A retraction MUST only be processed when both the original message and retraction request are received from the same full-JID (or from a JID of an appropriate admin or moderator in the case of a MUC room.)

+

A retraction (that's not part of a protoXEP message moderation operation) MUST only be processed when both the original message and the retraction request are received from the same bare-JID (in a one-on-one conversation) or full-JID (in a non-anonymous MUC from &xep0045;).

+

When used in a semi-anonymous MUC, the recipient client MUST check that a message retraction was sent by the author of the retracted message by checking the occupant id from &xep0421;.

There can never be a guarantee that a retracted message was never seen or otherwise distributed, and it is encouraged for clients and services when possible to inform users that no such guarantee exists.

-

When used in a &xep0045; context, retractions sent by non-moderators must not be allowed (by the receiver) for messages received before the sender joined the room - particularly a full JID leaving the room then rejoining and retracting a message SHOULD be disallowed, as the entity behind the full JID in the MUC may have changed.

+

To prevent message spoofing, it's very important that the JID or occupant id of message retractions are checked (as explained in the Business Rules section).

None.

@@ -124,21 +147,15 @@ xmlns='urn:xmpp:message-retract:0' elementFormDefault='qualified'> - - - - - - - - - + - + + +