jdev - 2022-03-13


  1. edhelas

    Who is planning to implement 0461 ?

  2. pep.

    edhelas: there's already https://fosstodon.org/@polynomdivision/107921082993522502 apparently

  3. lovetox

    moparisthebest, what is now the prefered solution for websocket?

  4. lovetox

    should i remove it completely?

  5. lovetox

    is there a use case for desktop clients?

  6. lovetox

    i originally replaced bosh with it

  7. lovetox

    but i ask myself now if there is a situation where you would want to use websocket instead of tcp on a desktop

  8. Link Mauve

    lovetox, when you have a really bad firewall on your network usually.

  9. Link Mauve

    Or when the server only has that configured.

  10. lovetox

    the firewall thing is stated often, but im not particular inclined to provide a software for people that circumvent their work enviroments

  11. Link Mauve

    lovetox, the preferred solution for discovering WebSocket (and BOSH) endpoints is to follow the HTTP workflow of XEP-0156.

  12. Link Mauve

    It’s not just work, it’s also airports, schools, universities, some cafés.

  13. lovetox

    Link Mauve, why you disabled websocket on jabber.fr?

  14. Link Mauve

    Oh did we?

  15. Link Mauve

    IIRC there was an issue with some version of Converse, which started preferring it to BOSH, and I didn’t have time to investigate.

  16. Link Mauve

    At the time, BOSH was generally better than WebSocket, now that XEP-0198 can be done over WebSocket it’s probably the opposite..

  17. Link Mauve

    At the time, BOSH was generally better than WebSocket, now that XEP-0198 can be done over WebSocket it’s probably the opposite.

  18. Link Mauve

    Do you do 0198 in that case?

  19. Link Mauve

    It would be better if this /.well-known/host-meta had a way to tell clients about preferences, but alas the web always has to reinvent SRV poorly…

  20. Link Mauve

    Converse doesn’t seem to notice websocket being blocked by CSP.

  21. lovetox

    CSP?

  22. lovetox

    i mean in your hostmeta file websocket is commented out

  23. lovetox

    meaning i have no way of testing my code :)

  24. Zash

    Content-Security-Policy, a browser thing

  25. lovetox

    yes i do 0198 over websocket

  26. lovetox

    is this useless?

  27. lovetox

    because we always know if a message reached the server?

  28. Zash

    No, 198 is good

  29. Zash

    The thing is that BOSH has equivalent functionality built in, so WS needs 198 to be comparable

  30. Link Mauve

    lovetox, it isn’t commented out any longer, but also still not working.

  31. lovetox

    k thanks, yeah its enough for me to retrieve the uri from somewhere

  32. Link Mauve

    Heh, module:list() | grep websocket → *crickets*

  33. Link Mauve

    But since we haven’t updated since the previous CVE, I won’t enable it today.

  34. Link Mauve

    lovetox, I will comment it out again in the host-meta, unless you want to continue debugging.

  35. Link Mauve

    I will uncomment it once we are ready to reboot the server for upgrades.

  36. lovetox

    hm would be cool if you could leave it until tomorrow

  37. lovetox

    im just finishing the code

  38. Link Mauve

    That prevents our web users from being able to connect at all. :/

  39. Link Mauve

    Couldn’t you pick any of the other correctly-configured servers here? https://compliance.conversations.im/test/xep0156/

  40. lovetox

    no, your users can wait till tomorrow

  41. lovetox

    :) of course then comment it out, i take another server

  42. moparisthebest

    lovetox: websocket is valuable, just needs looked up via host-meta, and I'd probably suggest standardizing on host-meta json, it's in the RFC

  43. moparisthebest

    In fact I'm going to propose an update to '156 saying that...

  44. lovetox

    but thats to late

  45. lovetox

    now everyone implemented updated it and probably everybody uses whats in the xep the xml

  46. lovetox

    just leave it at that

  47. lovetox

    as this are xmpp clients, all software deals with xml anyway

  48. lovetox

    i dont even know why there is a second solution here

  49. moparisthebest

    lovetox: because it's in the host-meta RFC

  50. lovetox

    ?

  51. moparisthebest

    And all XMPP clients should be doing posh anyway which is json only

  52. lovetox

    and its also in the XEp

  53. lovetox

    why do you need to standardize on json

  54. moparisthebest

    The json representation is in the host-meta RFC too I mean

  55. lovetox

    ok you mean thats why its in the XEP

  56. moparisthebest

    It makes sense to standardize on one instead of always grab both

  57. lovetox

    but it does not explain why you want to remove the xml represantation

  58. Link Mauve

    moparisthebest, no need to fetch both, as the XRD version is required to be present.

  59. lovetox

    moparisthebest, we dont need to grab both, because one is optional and the other not currently

  60. moparisthebest

    And fun fact: the example XML in the host-meta RFC is invalid according to the XRD spec, it doesn't validate

  61. lovetox

    if you change this now, THEN we definitly need to grab both

  62. moparisthebest

    You already have to grab both, I'd like to strongly recommend only grabbing the json

  63. lovetox

    no

  64. lovetox

    json is optional

  65. moparisthebest

    Also the XRD spec website has a "always valid look to the latest xsd" that returns 404 lol

  66. moparisthebest

    Also the XRD spec website has a "always valid link to the latest xsd" that returns 404 lol