[jdev] Spoofing of iq ids and misbehaving servers
Mark Doliner
mark at kingant.net
Fri Jan 31 16:46:37 UTC 2014
Small correction...
On Fri, Jan 31, 2014 at 12:26 AM, Mark Doliner <mark at kingant.net> wrote:
> In a server generated IQ reply it seems like it's never acceptable to
> set 'from' to the user's full JID. Thijs mentioned that he thought
> iChat server (unknown version) and ejabberd (probably 2.1.10) do this.
> That seems wrong to me.
It looks like this was allowed in RFC 3920: "When a server generates a
stanza from the server itself for delivery to a connected client
(e.g., in the context of data storage services provided by the server
on behalf of the client), the stanza MUST either (1) not include a
'from' attribute or (2) include a 'from' attribute whose value is the
account's bare JID (<node at domain>) or client's full JID
(<node at domain/resource>)."
Compare that to the corresponding text in RFC 6120: "When the server
generates a stanza from the server for delivery to the client on
behalf of the account of the connected client (e.g., in the context of
data storage services provided by the server on behalf of the client),
the stanza MUST either (a) not include a 'from' attribute or (b)
include a 'from' attribute whose value is the account's bare JID
(<localpart at domainpart>)."
So iChat and ejabberd are behaving mostly reasonably and clients
probably should allow the the full JID in this case.
More information about the JDev
mailing list