jdev - 2023-08-15

One small debugging test for you guys

https://upload.movim.eu/files/9d94237298995552fa13436420195fbca436dce7/jveoIhOIeLvd/SPOILER_SPOILER_876d8fd6ad580a1b.webm

I had to fix my CSS to prevent some layout issues :D

Low quality vid of a dancing cat?

More the fact that the video size is not stable

On Android 13: Simple Gallery's built in video player doesn't play it at all. Google Fotos fails hard too. VLC plays fine up to the first second, then the video freezes but the sound continues. Aves is able to play it! :) ✏

its a webm, it opens in firefox on my desktop, and plays fine

Can confirm what meson said. Also cheogram doesn't even download it. "ungültige Datei" That's worse then a file that's compleatly unknown. They would be downloaded generally. So... Someting is broken with it?

firefox also seems unhappy, though I'm not sure if that's due to Content-Disposition: attachment

icecat plays it fine

as fine as it can be with changing the size all the time

ah when I open it from disk firefox plays it, so it's content-disposition: attachment indeed

jonas’, yeah, edhelas added it on movim.eu and indeed it makes Firefox download every single attachment instead of displaying them

edhelas, opening it in VLC, playing on loop, and viewing Tools->Codec Information, the resolution bounces between large and small; I'd guess it's meant to be some kind of zoom in & out effect, but it doesn't work correctly for most players since they expect a constant size within the same stream

I even see rhat effect for one or two seconds in vlc... Then it freezes

pep., edhelas, why though?

jonas’ it was a quick fix for some security issues, prevent some JS/CSS to be executed in the browser

The proper fix here is to restrict the input mimetype

NOPE

Forget it

Not to add a weird header

mimetype can be easily workedaround

edhelas, https://github.com/horazont/xmpp-http-upload/blob/master/xhu.py#L172-L174

what about these three?

Maybe

As I said it was just a quickfix to fix the security issue

pep., edhelas is right about constraining content-type not being enough; some browsers will bypass that and guess based on the content (hence the nosniff)

jonas’ thanks for the link, I'll try it out

Well restricting input mimetype is still necessary, otherwise the client needs to guess as well

I don't want to forbid users to upload JS or CSS files

Then what's the point of the header if you're going to interpret the file as given to you anyway

UX-wise outside of movim anyway it's a pita

> Then what's the point of the header if you're going to interpret the file as given to you anyway No that is exactly the point of the header ↺

I don't want an uploaded JS file to be executed inside the Movim page

I had a CVE for that https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2849

Not released yet

11:58:50 pep.> Then what's the point of the header if you're going to interpret the file as given to you anyway ask edge/IE

No but seriously you don't find this a pain? jonas’ you also use poezio+browser. I guess you don't come by movim.eu links often

yeah, I do find this to be a pain, and I generally don't get in contact with movim.eu links indeed

pep. listen, I want to be clear, I __understood your problem with it__ and I WILL take care of it

is it possible to extend the roster with custom elements?

or let me ask the question differently, say i have a company with 100.000 employees

how would we support that use case with xmpp?

if i want to start a conversation i want to find people, and if i find them i want meta infos, like department, phone number etc (basically vcard stuff)

now i need the presence status, so they need to be all in my roster

Sounds like 55

is this problematic? with 100.000 ? probably not because the full roster is only downloaded at first connect to the server

but i get a lot of presence info i never need

I'd probably loook at XEP-0055 and presence probes

You wouldn't put 100,000 people in your roster, you'd use 55 for it. Or I would, anyway. ✏

For some corporate server it'd probably make some sense to allow and respond to presence probes inside the server/company.

so 0055, and it returns all kind of metainfo, in essence its a dataform so it can return anything

On the other hand, I'm no fan of the multiple results part of XEP-0004 :/ ✏

It's not the nicest thing, but there are probably better oceans to boil.

it could also return the current presence data

and then i open a conversation, and then i presence probe? and this tells the server i want updates?

And of course where you already have them in your roster, you can use presence from that

either way, there are some XEPs that lay some groundwork, but sounds all very much like it needs special server customizations ✏

Depends how much you care about the presence part. People we've dealt with haven't.

Without presence, 55 works out of the box.

you met people which in a company setting, dont care what show (online, dnd, away) a other user has?

When searching for people outside their preset roster groups, right.

You could add them.

Indeed.

ok so you would put some people in the roster, like people working in the same country, but others not, which are less likely to be contacted

Didn't we talk about moving presence stuff into PEP?

That would help with e.g. "in a meeting" kind of statuses

> Didn't we talk about moving presence stuff into PEP? Yes. Really should get around to actually make that happen.

User Activity :)

but how is this better? pep sends you also a notification per user

its the same as you it were in your roster

lovetox, easier to query without presence subscription

as in, would already work with existing servers

i thought the goal of pep is that i dont need to query something, and get notification on change

i dont see that scale, the same as presence

It's pubsub. You can query pubsub without a subscription.

If you're opening a conversation with a few non-contacts, it's just a few queries?

im not sure i understand, i need a mechanisms that updates me on changes. Of course i can query the info when i open a chat, but i need to get the info when it changes

Which is exactly what pubsub is about, no?

so when i open a chat, i subscribe to some public node of the user

and it will update me, until i unsubscribe?

all without having presence subscription

Right.

i never dealt with anything but PEP, so i never did that subscribe thing manually, but if this works that way, yes i think that would work

and this bascially does not need any support from the server

i could implement this right now, if my client is the only thing the company uses

the 0055 would need a small server module i guess

Most (all?) the usual servers support 55.

But yes, the server does need to support 55 and 60/163 for it.

55 is a generic search protocol

filling it with useful information, is a server customization

as i said, to make it really good, it should return much more info

department, status, show, phonenumber etc