From f06ff3ffd4e52b16b6b052230a23a647d6f4a80c Mon Sep 17 00:00:00 2001 From: Zash Date: Thu, 23 Mar 2023 23:56:53 +0100 Subject: [PATCH] XEP-0233: Merge wording suggestions from MattJ Co-authored-by: Matthew Wild --- xep-0223.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xep-0223.xml b/xep-0223.xml index 25104e5f..73c988f6 100644 --- a/xep-0223.xml +++ b/xep-0223.xml @@ -251,7 +251,7 @@

Since private data is to be stored in a mechanism originally intended to publish data, it is REQUIRED for entities to ensure that the restrictive <publish-options/> will actually be honored by the server by performing the feature discovery procedure as specified in Determining Support. If an entity using that procedure finds that the server does not support <publish-options/>, it MUST NOT store private data in PubSub, unless it can ensure privacy of the data with other means.

-

The configuration of a local pubsub node does not prevent an attacker or a contact with a misconfigured node from sending pubsub events with the same payload. Therefore clients MUST verify that the ‘from’ attribute on incoming event messages are either missing or equal that of their own account JID.

+

The configuration of a local pubsub node does not prevent an attacker or a contact with a misconfigured node from sending pubsub events with the same payload. Therefore clients MUST verify that the ‘from’ attribute on incoming event messages is either absent or equal to their own account JID.

The Security Considerations specified in XEP-0060 and XEP-0163 need to be taken into account.