jdev - 2024-09-18


  1. darkhex

    Hello

  2. debacle

    Dears, if I have `<a href="xmpp:foo\40example.com@otherexample.com">foo</a>` in my browser HTML and open the link with Gajim, it tries to communicate with `foo%5c40example.com@otherexample.com`. Where is the bug? In the HTML or in Gajim?

    šŸ¤Æļø 1
  3. moparisthebest

    singpolyma likely has opinions and experience here ^

  4. singpolyma

    oh hi

  5. singpolyma

    bug is not in the html, since xmpp:foo

  6. singpolyma

    bug is not in the html, since `xmpp:foo\40` and `xmpp:foo%5c40` are the same thing

  7. moparisthebest

    What if you right click the link and copy it, what does a paste into a text editor do

  8. singpolyma

    I bet it pastes foo%5c40 which is totally fine and correct

  9. moparisthebest

    If so then you are saying gajim should unescape it or?

  10. Zash

    Doesn't url-decode when extracting the JID from the xmpp: URI?

  11. singpolyma

    moparisthebest: yes

  12. singpolyma

    the different examples are what should `xmpp:foo%blah.com@example.com` do? (this one is invalid and so the browser might do who knows what random thing with it. solution is to fix the link) or worse `xmpp:#foo@example.com` (this one is effectively blank but doesn't look like it is because # ends the URL completely)

  13. jonasā€™

    singpolyma, huh, in which grammar does `#` end an XMPP URL?

  14. jonasā€™

    I thought that was an HTTP specific thing?

  15. Zash

    no, #fragment is a generic URI thing

  16. jonasā€™

    fascinating

  17. Zash

    ... I think

  18. Zash

    depending on which of the competing definitions you subscribe to

  19. jonasā€™

    :)

  20. singpolyma

    > no, #fragment is a generic URI thing Correct

  21. Zash

    or maybe the WHATWG one only for HTTP(S) URLs? I am not sure and now does not feel like the time to go read those specs

  22. singpolyma

    URL and URI and whatwg url agree on this point. # is never valid in any of them

  23. jonasā€™

    singpolyma, buuutt... # *is* valid in HTTP URIs, isn't it?

  24. jonasā€™

    it just isn't sent to the remote.

  25. singpolyma

    Nope

  26. jonasā€™

    but it's constantly used.

  27. singpolyma

    It's not part of the uri

  28. singpolyma

    The fragment is an extra thing

  29. jonasā€™

    ok, I'm gonna need specs now

  30. singpolyma

    Part of "Uri with fragment"

  31. Zash

    Tho it is special in a similar way to ?

  32. moparisthebest

    specs in url land? Good luck

  33. singpolyma

    I mean you could say it's a distinction without difference. But officially it's not that you treat the fragment part of Uri special but rather fragment is not part of Uri and if you support fragments they're a seperate thing

  34. moparisthebest

    https://everything.curl.dev/cmdline/urls/browsers.html is a helpful intro

  35. jonasā€™

    singpolyma, I'm all for those nuances, but I wasn't aware of them. I'd like some document where it's written down which is not a third-party resource (sorry, moparisthebest ).

  36. jonasā€™

    it makes sense that it's somehow special, given that it's not sent to HTTP servers for example

  37. jonasā€™

    (and that that behaviour is consistent)

  38. Zash

    you want IETF RFC or WHATWG?

  39. singpolyma

    If you're ok with just uri it's in the rfc. Check the grammar for Uri you'll find # is not an allowed character in any position

  40. Zash

    because iirc they're subtly different :)

  41. jonasā€™

    "the RFC" --- which one?

  42. Zash

    THE

  43. Zash

    https://www.rfc-editor.org/rfc/rfc3986 maybe? or follow the updated by chain

  44. jonasā€™

    actually I should head to be

  45. jonasā€™

    actually I should head to bed

  46. jonasā€™

    o/

  47. Zash

    I should be asleep :|

  48. moparisthebest

    jonasā€™: the link I sent has links to all the various RFCs and standards and a brief explanation so I thought it was best

  49. Zash

    https://www.rfc-editor.org/rfc/rfc3986#section-3 looks like the thing to look at, if you're not sleeping

  50. moparisthebest

    https://url.spec.whatwg.org/ (what browsers use, constantly changing) https://www.ietf.org/rfc/rfc3986.txt (the RFC some people use a bit from)

  51. Zash

    IIRC the WHATWG has different sets of allowed characters per URL component.

  52. singpolyma

    That RFC looks like it's talking about hierarchical so it mentions fragment

  53. singpolyma

    But xmpp is non hierarchical

  54. singpolyma

    I can find the ref later

  55. debacle

    So Gajim (or any client) should turn `%5c` into `\` again?

  56. singpolyma

    Yes

    šŸ™ 1
  57. debacle wonders why XMPP does not use `%40` for the `@`. The `\` creates headaches at many places.

  58. singpolyma

    You can use %40 for the @ if you want

  59. singpolyma

    But there's no reason do

  60. singpolyma

    But there's no reason to

  61. debacle

    The XEP (what number was it?) says `\40`, and I'm feeling uneasy in doing something non-standard.

  62. singpolyma

    Oh you meant for on jids. Yes \ for jid escaping

  63. singpolyma

    I thought you mean eg xmpp: someone%40example.com which is ok if course

  64. debacle

    But `\` is sometimes annoying, having special meaning in most programming languages. And users don't find on their keyboard or confuse it with `/`.

  65. singpolyma

    If we used % instead of \ in jid escaping then in URIs it would be xmpp:blah%2540thing.com@example.com

  66. singpolyma

    TBF users aren't generally meant to see it, hopefully it's hidden behind auto escaping UI etc often

  67. debacle

    I mean in the context of e.g. email-XMPP gateways.

  68. singpolyma

    In an alt universe I'd use xmpp URIs directly in the wire protocol like sip does and then we wouldn't need any escaping mechanism at all

  69. debacle

    Yes, it's mostly hidden, but here and there it is hard to avoid that users see their JID, or they even must see it for certain actions.

  70. singpolyma

    Could show it in a human presentation way sometimes like browsers do with URLs. You rarely see %20 anymore they hide it

  71. debacle

    In my use case, it is not an email gateway, btw. but we are just abusing users verified email addresses to create a JID, that is "verified by email" šŸ˜€ļø

  72. singpolyma

    Oooh. Like quicksy

  73. debacle

    In almost all cases we only show the email address and hide the server part.

  74. singpolyma

    I love it

  75. debacle

    Haha, yes, in a way like Quicksy.

  76. singpolyma

    Is this a secret project?

  77. debacle

    It's free software: https://codeberg.org/Ammonit/ammonit-live-dashboard/src/branch/main/accounts

  78. debacle

    AGPL3

  79. debacle

    Maybe at some point, we can separate that function from the main project (dashboard), so that it can be reused easier.

  80. debacle

    It has the same drawback as Quicksy: If there were multiple server with the same scheme, people still cannot find others, if they are on a different server. Phone number (or email address) are only unique and easy to find on one server. In our use case, that does not matter, because it's all about IoT machine-to-human communication and human-to-human communication is not in our scope (but we do not prevent it).

  81. debacle

    Also, we do not filter one-time email addresses (such as guerillamail), so there is no spam account protection atm. This is probably better with Quicksy, as phone numbers are somewhat expensive.