They're coming from the user's bare JID via XEP-0356 Privileged Entity. Sorry, I forgot to mention that.
<message from='skype.com' to='xmpp.org'><privilege ...><forwarded><message from=exam...@xmpp.org to=exam...@xmpp.org/resource><sent><forwarded><message to=exam...@skype.com> The server unwraps the privilege wrapper per XEP-0356 and routes the message as if it were a sender. On 30.01.2018 11:13, Georg Lukas wrote: > * Владимир <m...@boku.ru> [2018-01-30 08:49]: >> A transport wants to inform a xmpp user (say, exam...@xmpp.org) of a message >> sent by the associated legacy network account (say, exam...@skype.com) from >> a different legacy client (e.g. Skype for PC). >> >> Looks like this is a job for XEP-0280 carbons, right? But since XMPP server >> had never seen the original message, the carbons have to be sent by the >> transport manually. > XEP-0280 was not designed with this in mind. As it is, there are some > interesting security challenges, because Carbons are expected to come > from the user's bare JID, and the client needs to trust this (otherwise, > user impersonation like in CVE-2017-5589+ will happen again). > > The XEP is very explicit in disallowing what you want: > > | Any forwarded copies received by a Carbons-enabled client MUST be from > | that user's bare JID > > You have an interesting use case, and I think the right way forward > would be to extend / add a component XEP where components are allowed to > emit sent-Carbons on behalf of the user. These Carbons need to have > special processing on the server then, to ensure security and because > the component doesn't know which clients are Carbon-enabled. > > My proposal would be as follows: > > 0. The server and component advertise component-carbons to each other > 1. The user allows message impersonation (either explicitly or implied > by 0321 permission) > 2. The component sends a sent-Carbon to the *bare* JID of the user, for > each legacy client message > 3a. The server stores those sent-Carbons as sent messages in MAM > 3b. The server delivers those sent-Carbons as first-class sent-Carbons > to all Carbons-enabled clients > > > Georg > > > _______________________________________________ > Standards mailing list > Info: https://mail.jabber.org/mailman/listinfo/standards > Unsubscribe: standards-unsubscr...@xmpp.org > _______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________