XSF Discussion - 2022-06-28

  1. Kev

    How are people typically sharing 363 URLs - SIMS(385)?

  2. jonas’

    OOB.

  3. jonas’

    XEP-0066, OOB.

  4. Kev

    OOB is iq-only, and doesn't include useful information like file size, does it?

  5. Kev

    Maybe I should go check.

  6. jonas’

    it is not iq-only

  7. Kev

    Ah, fab.

  8. jonas’

    see https://xmpp.org/extensions/xep-0066.html#x-oob

  9. jonas’

    it does not include useful information like file size, but it works and is widely deployed, which is all what counts I suppose

  10. Kev

    Still misses all the contenttype/size etc. info though :/

  11. jonas’

    (note the sarcasm)

  12. Kev

    Yeah, I specifically need filesize to be communicated.

  13. jonas’

    please push SIMS forward.

  14. wurstsalat

    or XEP-0447 ?

  15. Kev

    How are people managing fallback with OOB?

  16. Ge0rG

    Kev: let me tell you about HTTP HEAD

  17. jonas’

    Kev, fallback?

  18. Ge0rG

    Kev: some implementations require the oob url to be equal to the message body, others require it to be contained within the body

  19. jonas’

    OOB is only accepted by deployed clients if body == OOB-URL, otherwise it's ignored.

  20. Kev

    Ge0rG: I want to be avoiding any HTTP requests at all if the file is too large to download at the moment. I'm not thinking about Internet use, predictably.

  21. jonas’

    ah, so subset is ok too, apparently.

  22. Ge0rG

    jonas’: implementation-defined

  23. Ge0rG

    I'm not aware of anyone using iq-0066

  24. Ge0rG

    Kev: understandably

  25. Kev

    Ok, ta.

  26. moparisthebest

    Kev, just watch out, it's not like you can trust the size https://www.moparisthebest.com/httppppppppppp-upload/

  27. Kev

    I'm thinking about slightly special cases :)

  28. Kev

    (Although it's true the code should also work on the hostile Internet)

  29. Tobias

    has anyone seen HTTP File Upload components require the use of Cookie headers?

  30. Zash

    No but Prosody uses the Authorization header, which triggered implementation of header support in some clients that were missing it.

  31. Kev

    The question about Cookie's is particularly interesting, because Browsers might be Not Happy about setting cookies for particular cross-site requests.

  32. Kev

    The question about Cookies is particularly interesting, because Browsers might be Not Happy about setting cookies for particular cross-site requests.

  33. Kev

    Whereas the auth header shouldn't pose any great problem.

  34. Zash

    I seem to remember the Auth header being special wrt CORS and in certain APIs

  35. MattJ

    Yes, those rules already apply to Authorization as well as Cookie

  36. MattJ

    and in general, not a problem as long as the service supports CORS correctly (i.e. allowing With-Credentials)

  37. Kev

    Authorization's just a case of having the CORS headers, AFAICS. I've been told today by webbish folks that cookies are much harder.

  38. Tobias

    According to https://xhr.spec.whatwg.org/#the-setrequestheader()-method you can't set Cookie as it's a forbidden name

  39. Tobias

    or do you have to go via withCredentials then?

  40. Kev

    withCredentials doesn't allow you to inject cookies, AFAK.

  41. Kev

    withCredentials doesn't allow you to inject cookies, AFAIK.