Peter Saint-Andre <[EMAIL PROTECTED]> wrote on 3-7-2003 18:27:22: > >This is a server bug. With what server did you test this? AFAIK, both >jabberd 1.4.* and the Jabber Inc. server do the right thing here. > >The correct behavior is as follows (I have added this text to my >working copy of draft-ietf-xmpp-im): > > A server MUST ignore any 'to' address on a roster "set", and > MUST treat any roster "set" as applying to the sender. For added > safety, a client SHOULD check the "from" address of a roster "push" > to ensure that it is from a trusted source; specifically, the stanza > should have no 'from' attribute (i.e., implicitly from the server) > or the JID contained in the 'from' attribute should match the user's > bare JID or full JID; otherwise, the client SHOULD ignore the roster > "push".
I assume it's clear in the document that this does not just apply to client connections but also S2S connections (and do the server named here implement this)? (it's hard to tell without the context of the document) It's still an odd requirment though. I could not, for example, write a component that maintains it's own seperate roster and query it for it. I know this hasn't been done so far, but espc. for components that have roster-like functionality but no presence (email addressbook?) it *could* be nice. But I guess considering the security issues it should be done differently. -- Tijl Houtbeckers Software Engineer @ Splendo The Netherlands _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
