-
Tobias
HTTP File Upload should work from within a browser, considering correct CORS headers are set, right?
-
MattJ
Correct
-
Tobias
https://pastebin.com/raw/DeG71TxK any clues why it would say "unknown slot"
-
Tobias
wrong room
-
lovetox
im reading XEP-0388
-
lovetox
> At any time while authentication is in progress, neither Client nor Server sends any element (including stanzas) or other data except the top-level elements defined herein. Clients MUST NOT send whitespace, and MUST send only <response/> elements as appropriate or an <abort/> element to immediately cause an error.
-
lovetox
why am i not allowed to send a whitespace?
-
moparisthebest
Unsure about this, I think I hate it https://delta.chat/en/2022-06-14-webxdcintro
-
Zash
> web definitely hate it
-
moparisthebest
I can't find info about how they are sandboxed, which makes me think they put no thought into that and assumed ancient vuln riddled Android bundled webview is enough, yikes
-
Guus
what is the intended behavior in pubsub, when a subscriber (subscribed with a bare JID) is online with more than one resource, when a new publication occurs?
-
Zash
Guus: event notification sent to the bare jid, receiving server does forking like with any other message?
-
Guus
Openfire might be doing 'any other message' wrong
-
MattJ
moparisthebest: time to bundle converse.js as a .xdc?
-
moparisthebest
MattJ: ooh ingenious, suddenly all 50 deltachat users are now XMPP users
-
MattJ
https://docs.webxdc.org/spec.html#messenger-implementation has some notes about sandboxing
-
moparisthebest
So... No internet access other than they can transmit unlimited messages? :thinking:
-
moparisthebest
Anyone get a chance to look at https://xmpp.org/extensions/inbox/xmpp-over-quic.html or https://xmpp.org/extensions/inbox/websocket-s2s.html yet ?
-
MattJ
Not yet
-
Zash
They looked short and I'm skeptical of keeping the framing that was added because browser clients supposedly can't parse streaming XML.
-
MattJ
Zash, even before websockets there were people arguing for framing. I'm not strongly one way or the other, but it certainly makes some things easier
-
MattJ
Quite a few things, in fact
-
moparisthebest
Not changing websocket at all makes it trivial to add support with approximately one if statement
-
moparisthebest
I would argue for XMPP 2.0 we should add explicit framing even for TLS/quic streams
-
moparisthebest
Not having it is the source of countless bugs and security issues
-
MattJ
We already have framing in XMPP over websocket
-
MattJ
Oh, I misread what you said, ignore me
-
Zash
I mean the XML fiddlery that makes xmpp-over-ws ≠ xmpp + ws
-
Zash
MattJ, weren't all our recent security and memory consumption issues _because_ of per-message XML parsing?
-
MattJ
:)
-
moparisthebest
Yea I don't like the changing namespace, I would love to keep it jabber:server actually
-
Zash
And I think I just dropped 25% of RSS by cutting down on similar stuff.
-
Zash
If anything I'd want a websocket subprotocol where you just send normal XMPP over websocket (with the websocket framing, but without the <open/> and whatnot)
-
moparisthebest
The prosody memory hog bug was due to lack of framing and so was the recent zoom ejabberd/gloox bug
-
moparisthebest
Zash: yes that would make way more sense imho
-
MattJ
But then web clients have to implement streaming parsers
-
Zash
No
-
Zash
Servers would need to support two methods
-
moparisthebest
They can just pretend the stream header is a stand alone stanza
-
MattJ
Zash, I'm not a fan of yet more ways to do things
-
MattJ
More ways to do things -> more surface area to maintain and for bugs and security issues to hide in
-
Zash
Therefore ... s2s over websockets?
-
moparisthebest
We can save that for the upcoming replacement to websockets
-
Zash
s2s over tcp + s2s over tls isn't enough?
-
Zash
If it's meant to solve the problem that certain hosting providers are strictly http-only, isn't this _not_ going to solve that until 100% of servers implement it?
-
Zash
A problem IMO should be solved by not giving such providers any business whatsoever
-
moparisthebest
Gotta start somewhere I guess
-
MattJ
Yeah, I'm not really sure about s2s-over-ws
-
Zash
Fix your providers and firewalls!
-
moparisthebest
I've already seen a hundred questions in Snikket about why it can't run behind an http proxy
-
Zash
Working around those problems just moves us towards the future where only the web is allowed
-
Zash
I don't want to live in that future
-
moparisthebest
It's already here, we live in the bad place
-
MattJ
moparisthebest, and you want to replace them with "why can't I contact someone on <any other XMPP domain>?" :)
-
moparisthebest
I get the impression those people don't know federation exists anyway
-
Zash
Other wording of that is that you have the same deployment problem as DANE&DNSSEC
-
MattJ
We already have some of that simply due to requiring valid TLS certificates!
-
MattJ
Which you would think wouldn't be too much to ask in 2022
-
moparisthebest
I think the whole point is servers that already implement c2s websocket can turn this on easily
-
Zash
With s2s the hard part is usually the outgoing connections
-
Zash
At least it has been in Prosody every time, i.e. for IPv6 and direct TLS
-
Zash
and unless you mean your proxy, I imagine some refactoring would be needed for incoming too
-
moparisthebest
Fair... I just took all that away from prosody, xmpp-proxy does all the lookups and TLS
-
Zash
https://cerdale.zash.se/s/2en3dRC9dwgWwPKHZtZr_yhq/284d07c9-6d8a-4efc-a985-abbb037e5650.png
-
moparisthebest
Prosody just accepts plan TCP on localhost and makes plain TCP connections to a hardcoded localhost port for everything outgoing and that's it
-
moparisthebest
Just 1 ! :)
-
Zash
That's how it starts. Just ask the web people
-
flow
lovetox, good question why it's strictly forbidden, however there also doesn't seem to be much use of whitespace pings during SASL auth
-
flow
as there is always one entity that needs to send something at any point in time during auth
-
Zash
Doesn't that text exist about the existing SASL exchange?
-
Zash
Yeah, https://xmpp.org/rfcs/rfc6120.html#sasl-rules-data
-
Zash
I think Dave or someone said it's a leftover from when SASL also provided the security layer that these days are provided by TLS
-
moparisthebest
I bet a ton of things let you send whitespace