From 96477ee615a9e84854a276e735d933e9c30fab66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20=E2=80=9Cpep=E2=80=9D=20Buquet?= Date: Sat, 25 Dec 2021 23:12:47 +0100 Subject: [PATCH 1/7] XEP-0363: Size in bytes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maxime “pep” Buquet --- xep-0363.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xep-0363.xml b/xep-0363.xml index 37985292..7135c503 100644 --- a/xep-0363.xml +++ b/xep-0363.xml @@ -249,7 +249,7 @@ ]]> -

A client requests a new upload slot by sending an IQ-get to the upload service containing a <request> child element qualified by the urn:xmpp:http:upload:0 namespace. This element MUST include the attributes filename and size containing the file name and size respectively.

+

A client requests a new upload slot by sending an IQ-get to the upload service containing a <request> child element qualified by the urn:xmpp:http:upload:0 namespace. This element MUST include the attributes filename and size containing the file name and size (in bytes) respectively.

An additional attribute content-type containing the Content-Type is OPTIONAL.

Date: Tue, 4 Jan 2022 14:42:22 +0100 Subject: [PATCH 2/7] XEP-0363: Headers MUST be included in the PUT request MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maxime “pep” Buquet --- xep-0363.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xep-0363.xml b/xep-0363.xml index 7135c503..8ec17646 100644 --- a/xep-0363.xml +++ b/xep-0363.xml @@ -262,7 +262,7 @@ content-type='image/jpeg' /> ]]>

The upload service responds with both a PUT and a GET URL wrapped by a <slot> element. The service SHOULD keep the file name and especially the file ending intact. Using the same hostname for PUT and GET is OPTIONAL. The host MUST provide Transport Layer Security (&rfc5246;). Both HTTPS URLs MUST adhere to &rfc3986;. Non ASCII characters MUST be percent-encoded.

-

The <put> element MAY also contain a number of <header> elements which correspond to HTTP header fields. Each <header> element MUST have a name-attribute and a content with the value of the header. Only the following header names are allowed: Authorization, Cookie, Expires. Other header names MUST be ignored by the requesting entity and MUST NOT be included in the HTTP request. The requesting entity MUST strip any newline characters from the header name and value before performing the HTTP request.

+

The <put> element MAY also contain a number of <header> elements which correspond to HTTP header fields. Each <header> element MUST have a name-attribute and a content with the value of the header. Only the following header names are allowed: Authorization, Cookie, Expires. These headers MUST be included in the HTTP PUT request. Other header names MUST be ignored by the requesting entity and MUST NOT be included in the HTTP request. The requesting entity MUST strip any newline characters from the header name and value before performing the HTTP request.

Date: Tue, 4 Jan 2022 14:43:54 +0100 Subject: [PATCH 3/7] XEP-0363: clients SHOULD NOT interpret headers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maxime “pep” Buquet --- xep-0363.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/xep-0363.xml b/xep-0363.xml index 8ec17646..c3a165f0 100644 --- a/xep-0363.xml +++ b/xep-0363.xml @@ -343,6 +343,7 @@ Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT Access-Control-Allow-Headers: Authorization, Content-Type Access-Control-Allow-Credentials: true ]]> +

Clients SHOULD NOT interpret headers and treat them as opaque.

 From 7bffc702034d3a85ae328c3122e7ef3c9546de3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20=E2=80=9Cpep=E2=80=9D=20Buquet?= Date: Tue, 4 Jan 2022 14:44:12 +0100 Subject: [PATCH 4/7] XEP-0363: Servers may want to sign headers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maxime “pep” Buquet --- xep-0363.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/xep-0363.xml b/xep-0363.xml index c3a165f0..f4e48919 100644 --- a/xep-0363.xml +++ b/xep-0363.xml @@ -354,6 +354,7 @@ Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; ]]>

The provided policy will prohibit a browser from executing all active content from the HTTP upload domain (default-src 'none') and forbid embedding it from other pages (frame-ancestors 'none'). More information on Content-Security-Policy can be found on infosec.mozilla.org.

Further isolation can be achieved by hosting those files on an entirely different domain instead of using subdomains.

+

Headers may be signed so that receiving HTTP entities can verify these haven't been tempered with by clients.
    From 2bdac3219755192c1923705aa5e3578785b215f6 Mon Sep 17 00:00:00 2001 From: Emmanuel Gil Peyrot Date: Tue, 28 Dec 2021 15:42:44 +0100 Subject: [PATCH 5/7] XEP-0363: Add a sentence about multiple same headers and case insensitivity MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Thanks pep. for finding these issues! Signed-off-by: Maxime “pep” Buquet --- xep-0363.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xep-0363.xml b/xep-0363.xml index f4e48919..bd9e3589 100644 --- a/xep-0363.xml +++ b/xep-0363.xml @@ -262,7 +262,7 @@ content-type='image/jpeg' /> ]]>

    The upload service responds with both a PUT and a GET URL wrapped by a <slot> element. The service SHOULD keep the file name and especially the file ending intact. Using the same hostname for PUT and GET is OPTIONAL. The host MUST provide Transport Layer Security (&rfc5246;). Both HTTPS URLs MUST adhere to &rfc3986;. Non ASCII characters MUST be percent-encoded.

    -

    The <put> element MAY also contain a number of <header> elements which correspond to HTTP header fields. Each <header> element MUST have a name-attribute and a content with the value of the header. Only the following header names are allowed: Authorization, Cookie, Expires. These headers MUST be included in the HTTP PUT request. Other header names MUST be ignored by the requesting entity and MUST NOT be included in the HTTP request. The requesting entity MUST strip any newline characters from the header name and value before performing the HTTP request.

    +

    The <put> element MAY also contain a number of <header> elements which correspond to HTTP header fields. Each <header> element MUST have a name-attribute and a content with the value of the header. Only the following header names are allowed: Authorization, Cookie, Expires. These headers MUST be included in the HTTP PUT request. Other header names MUST be ignored by the requesting entity and MUST NOT be included in the HTTP request. The requesting entity MUST strip any newline characters from the header name and value before performing the HTTP request, but MUST keep the same order of headers in the request. Each header name MAY be present zero or more times, and are case insensitive (eXpires is the same as Expires).

    Date: Tue, 25 Jan 2022 16:52:56 +0100 Subject: [PATCH 6/7] XEP-0363: Incorporate Council feedback The wording about allowed headers was deemed unclear, so it was clarified that only allowed headers should be forwarded. In addition, there were concerns about implementation support for preserving the relative order of different headers. Considering that that's unlikely to be a use-case, the wording was changed to not require that, but only preserving the order of values for the same header. --- xep-0363.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xep-0363.xml b/xep-0363.xml index bd9e3589..8f2ab97a 100644 --- a/xep-0363.xml +++ b/xep-0363.xml @@ -262,7 +262,7 @@ content-type='image/jpeg' /> ]]>

    The upload service responds with both a PUT and a GET URL wrapped by a <slot> element. The service SHOULD keep the file name and especially the file ending intact. Using the same hostname for PUT and GET is OPTIONAL. The host MUST provide Transport Layer Security (&rfc5246;). Both HTTPS URLs MUST adhere to &rfc3986;. Non ASCII characters MUST be percent-encoded.

    -

    The <put> element MAY also contain a number of <header> elements which correspond to HTTP header fields. Each <header> element MUST have a name-attribute and a content with the value of the header. Only the following header names are allowed: Authorization, Cookie, Expires. These headers MUST be included in the HTTP PUT request. Other header names MUST be ignored by the requesting entity and MUST NOT be included in the HTTP request. The requesting entity MUST strip any newline characters from the header name and value before performing the HTTP request, but MUST keep the same order of headers in the request. Each header name MAY be present zero or more times, and are case insensitive (eXpires is the same as Expires).

    +

    The <put> element MAY also contain a number of <header> elements which correspond to HTTP header fields. Each <header> element MUST have a name-attribute and a content with the value of the header. Only the following header names are allowed: Authorization, Cookie, Expires. The allowed headers provided in the response MUST be included in the HTTP PUT request. Other header names MUST be ignored by the requesting entity and MUST NOT be included in the HTTP request. The requesting entity MUST strip any newline characters from the header name and value before performing the HTTP request, but MUST preserve the relative order of multiple values for the same header in the request. Each header name MAY be present zero or more times, and are case insensitive (eXpires is the same as Expires).

    Date: Tue, 4 Jan 2022 18:01:39 +0100 Subject: [PATCH 7/7] XEP-0363: Add 1.1.0 revision block MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maxime “pep” Buquet --- xep-0363.xml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/xep-0363.xml b/xep-0363.xml index 8f2ab97a..54f64d5b 100644 --- a/xep-0363.xml +++ b/xep-0363.xml @@ -32,6 +32,20 @@ daniel@gultsch.de daniel@gultsch.de + + 1.1.0 + 2022-01-04 + egp, mb + +
      +
    • Filename size in bytes.
      • +
    • Headers MUST be included in the PUT request.
      • +
    • Headers considered opaque.
      • +
    • Servers may want to sign headers, in security implications.
      • +
    • Allow header case insensitivity, multiple times the same header, and preserve the order in the HTTP request.
      • +
    +     +     1.0.0 2020-02-11