Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
981 lines (963 sloc) 48 KB
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xep SYSTEM 'xep.dtd' [
<!ENTITY % ents SYSTEM 'xep.ent'>
%ents;
]>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<xep>
<header>
<title>Privacy Lists</title>
<abstract>This specification defines an XMPP protocol extension for enabling or disabling communication with other entities on a network. The protocol, which was first standardized in Section 10 of RFC 3921, can be used to block communication with unknown or undesirable entities. Blocking can be based on Jabber Identifier, subscription state, or roster group. The blocked stanzas can be messages, IQs, inbound or outbound presence stanzas, or all stanzas. The protocol also enables an entity to create, modify, or delete its privacy lists, apply different lists to different connected resources, define a default list, and decline the use of any privacy list during a particular communications session.</abstract>
&LEGALNOTICE;
<number>0016</number>
<status>Deprecated</status>
<type>Standards Track</type>
<sig>Standards</sig>
<dependencies>
<spec>XMPP Core</spec>
</dependencies>
<supersedes/>
<supersededby>
<spec>XEP-0191</spec>
</supersededby>
<shortname>privacy</shortname>
<schemaloc>
<url>http://xmpp.org/schemas/privacy.xsd</url>
</schemaloc>
&pgmillard;
&stpeter;
<revision>
<version>1.7</version>
<date>2017-05-20</date>
<initials>XEP Editor: ssw</initials>
<remark><p>Deprecating by vote of the council.</p></remark>
</revision>
<revision>
<version>1.6</version>
<date>2007-02-15</date>
<initials>psa</initials>
<remark><p>Added two notes to maintain consistency with XEP-0191.</p></remark>
</revision>
<revision>
<version>1.5</version>
<date>2006-11-27</date>
<initials>psa</initials>
<remark><p>Modified message stanza handling (server should return &lt;service-unavailable/&gt; error) and added implementation note to maintain consistency with XEP-0191.</p></remark>
</revision>
<revision>
<version>1.4</version>
<date>2006-10-04</date>
<initials>psa</initials>
<remark><p>Copied Section 10 of RFC 3921.</p></remark>
</revision>
<revision>
<version>1.3</version>
<date>2004-07-26</date>
<initials>psa</initials>
<remark><p>Formally retracted this proposal in favor of XMPP IM.</p></remark>
</revision>
<revision>
<version>1.2</version>
<date>2003-03-12</date>
<initials>psa</initials>
<remark><p>Changed status to Deprecated since this protocol is now included in the XMPP IM Internet-Draft.</p></remark>
</revision>
<revision>
<version>1.1</version>
<date>2002-11-17</date>
<initials>pgm</initials>
<remark><p>Added remarks about default handling, and where list processing should take place.</p></remark>
</revision>
<revision>
<version>1.0</version>
<date>2002-10-22</date>
<initials>psa</initials>
<remark><p>Changed status to Draft.</p></remark>
</revision>
<revision>
<version>0.4</version>
<date>2002-10-03</date>
<initials>pgm</initials>
<remark><p>Elaborated on various JID possibilities.</p></remark>
</revision>
<revision>
<version>0.3</version>
<date>2002-07-31</date>
<initials>pgm</initials>
<remark><p>Added info describing current session issues</p></remark>
</revision>
<revision>
<version>0.2</version>
<date>2002-07-30</date>
<initials>pgm</initials>
<remark><p>Added whitelists, subscription filtering, and multiple list capabilities. Changed block to deny.</p></remark>
</revision>
<revision>
<version>0.1</version>
<date>2002-01-18</date>
<initials>pgm</initials>
<remark><p>Initial version.</p></remark>
</revision>
</header>
<section1 topic="Introduction">
<p>Almost all types of Instant Messaging (IM) applications have found it necessary to develop some method for a user to block the receipt of messages and packets from other users (the rationale for such blockage depends on the needs of the individual user). This document defines a flexible method for communications blocking.</p>
<p>Note: The protocol specified herein MAY be used in conjunction with &xep0191;; see <cite>XEP-0191</cite> for details.</p>
</section1>
<section1 topic="Protocol" anchor="protocol">
<p><em>This section has been copied without modification from Section 10 of &rfc3921;, with the exception of the message stanza handling rule in the <link url='#protocol-error'>Blocked Entity Attempts to Communicate with User</link> subsection.</em></p>
<p>Most instant messaging systems have found it necessary to implement some method for users to block communications from particular other users (this is also required by sections 5.1.5, 5.1.15, 5.3.2, and 5.4.10 of &rfc2779;. In XMPP this is done by managing one's privacy lists using the 'jabber:iq:privacy' namespace.</p>
<p>Server-side privacy lists enable successful completion of the following use cases:</p>
<ul>
<li>Retrieving one's privacy lists.</li>
<li>Adding, removing, and editing one's privacy lists.</li>
<li>Setting, changing, or declining active lists.</li>
<li>Setting, changing, or declining the default list (i.e., the list that is active by default).</li>
<li>Allowing or blocking messages based on JID, group, or subscription type (or globally).</li>
<li>Allowing or blocking inbound presence notifications based on JID, group, or subscription type (or globally).</li>
<li>Allowing or blocking outbound presence notifications based on JID, group, or subscription type (or globally).</li>
<li>Allowing or blocking IQ stanzas based on JID, group, or subscription type (or globally).</li>
<li>Allowing or blocking all communications based on JID, group, or subscription type (or globally).</li>
</ul>
<p>Note: Presence notifications do not include presence subscriptions, only presence information that is broadcasted to entities that are subscribed to a user's presence information. Thus this includes presence stanzas with no 'type' attribute or of type='unavailable' only.</p>
<section2 topic="Syntax and Semantics" anchor="protocol-syntax">
<p>A user MAY define one or more privacy lists, which are stored by the user's server. Each &lt;list/&gt; element contains one or more rules in the form of &lt;item/&gt; elements, and each &lt;item/&gt; element uses attributes to define a privacy rule type, a specific value to which the rule applies, the relevant action, and the place of the item in the processing order.</p>
<p>The syntax is as follows:</p>
<code><![CDATA[
<iq>
<query xmlns='jabber:iq:privacy'>
<list name='foo'>
<item
type='[jid|group|subscription]'
value='bar'
action='[allow|deny]'
order='unsignedInt'>
[<message/>]
[<presence-in/>]
[<presence-out/>]
[<iq/>]
</item>
</list>
</query>
</iq>
]]></code>
<p>If the type is "jid", then the 'value' attribute MUST contain a valid Jabber ID. JIDs SHOULD be matched in the following order:</p>
<ol>
<li>&lt;user@domain/resource&gt; (only that resource matches)</li>
<li>&lt;user@domain&gt; (any resource matches)</li>
<li>&lt;domain/resource&gt; (only that resource matches)</li>
<li>&lt;domain&gt; (the domain itself matches, as does any user@domain or domain/resource)</li>
</ol>
<p>If the type is "group", then the 'value' attribute SHOULD contain the name of a group in the user's roster. (If a client attempts to update, create, or delete a list item with a group that is not in the user's roster, the server SHOULD return to the client an &lt;item-not-found/&gt; stanza error.)</p>
<p>If the type is "subscription", then the 'value' attribute MUST be one of "both", "to", "from", or "none" as defined <cite>RFC 6121</cite>, where "none" includes entities that are totally unknown to the user and therefore not in the user's roster at all. These values are exact matches, so that "both" means a bidirectional subscription (not "from" or "to" only).</p>
<p>If no 'type' attribute is included, the rule provides the "fall-through" case.</p>
<p>The 'action' attribute MUST be included and its value MUST be either "allow" or "deny". <note>An implementation MUST NOT block communications from one of a user's resources to another, even if the user happens to define a rule that would otherwise result in that behavior.</note></p>
<p>The 'order' attribute MUST be included and its value MUST be a non-negative integer that is unique among all items in the list. (If a client attempts to create or update a list with non-unique order values, the server MUST return to the client a &lt;bad-request/&gt; stanza error.)</p>
<p>The &lt;item/&gt; element MAY contain one or more child elements that enable an entity to specify more granular control over which kinds of stanzas are to be blocked (i.e., rather than blocking all stanzas). The allowable child elements are:</p>
<ul>
<li>&lt;message/&gt; -- blocks incoming message stanzas</li>
<li>&lt;iq/&gt; -- blocks incoming IQ stanzas</li>
<li>&lt;presence-in/&gt; -- blocks incoming presence notifications</li>
<li>&lt;presence-out/&gt; -- blocks outgoing presence notifications <note>When a &lt;presence-out/&gt; element is included, the server might want to also block presence-like notifications, such as those which use &xep0163;.</note></li>
</ul>
<p>Within the 'jabber:iq:privacy' namespace, the &lt;query/&gt; child of an IQ stanza of type "set" MUST NOT include more than one child element (i.e., the stanza MUST contain only one &lt;active/&gt; element, one &lt;default/&gt; element, or one &lt;list/&gt; element); if a sending entity violates this rule, the receiving entity MUST return a &lt;bad-request/&gt; stanza error.</p>
<p>When a client adds or updates a privacy list, the &lt;list/&gt; element SHOULD contain at least one &lt;item/&gt; child element; when a client removes a privacy list, the &lt;list/&gt; element MUST NOT contain any &lt;item/&gt; child elements.</p>
<p>When a client updates a privacy list, it must include all of the desired items (i.e., not a "delta").</p>
</section2>
<section2 topic="Business Rules" anchor="protocol-rules">
<ol>
<li><p>If there is an active list set for a session, it affects only the session(s) for which it is activated, and only for the duration of the session(s); the server MUST apply the active list only and MUST NOT apply the default list (i.e., there is no "layering" of lists).</p></li>
<li><p>The default list applies to the user as a whole, and is processed if there is no active list set for the target session/resource to which a stanza is addressed, or if there are no current sessions for the user.</p></li>
<li><p>If there is no active list set for a session (or there are no current sessions for the user), and there is no default list, then all stanzas SHOULD BE accepted or appropriately processed by the server on behalf of the user in accordance with the server rules for handling XML stanzas defined in <cite>RFC 6121</cite>.</p></li>
<li><p>Privacy lists MUST be the first delivery rule applied by a server, superseding (1) the routing and delivery rules specified in server rules for handling XML stanzas defined in <cite>RFC 6121</cite> and (2) the handling of subscription-related presence stanzas (and corresponding generation of roster pushes) specified in <cite>RFC 6121</cite>.</p></li>
<li><p>The order in which privacy list items are processed by the server is important. List items MUST be processed in ascending order determined by the integer values of the 'order' attribute for each &lt;item/&gt;.</p></li>
<li><p>As soon as a stanza is matched against a privacy list rule, the server MUST appropriately handle the stanza in accordance with the rule and cease processing.</p></li>
<li><p>If no fall-through item is provided in a list, the fall-through action is assumed to be "allow".</p></li>
<li><p>If a user updates the definition for an active list, subsequent processing based on that active list MUST use the updated definition (for all resources to which that active list currently applies).</p></li>
<li><p>If a change to the subscription state or roster group of a roster item defined in an active or default list occurs during a user's session, subsequent processing based on that list MUST take into account the changed state or group (for all resources to which that list currently applies).</p></li>
<li><p>When the definition for a rule is modified, the server MUST send an IQ stanza of type "set" to all connected resources, containing a &lt;query/&gt; element with only one &lt;list/&gt; child element, where the 'name' attribute is set to the name of the modified privacy list. These "privacy list pushes" adhere to the same semantics as the "roster pushes" used in roster management, except that only the list name itself (not the full list definition or the "delta") is pushed to the connected resources. It is up to the receiving resource to determine whether to retrieve the modified list definition, although a connected resource SHOULD do so if the list currently applies to it.</p></li>
<li><p>When a resource attempts to remove a list or specify a new default list while that list applies to a connected resource other than the sending resource, the server MUST return a &lt;conflict/&gt; error to the sending resource and MUST NOT make the requested change.</p></li>
</ol>
</section2>
<section2 topic="Retrieving One's Privacy Lists" anchor="protocol-retrieve">
<example caption='Client requests names of privacy lists from server'><![CDATA[
<iq from='romeo@example.net/orchard' type='get' id='getlist1'>
<query xmlns='jabber:iq:privacy'/>
</iq>
]]></example>
<example caption='Server sends names of privacy lists to client, preceded by active list and default list'><![CDATA[
<iq type='result' id='getlist1' to='romeo@example.net/orchard'>
<query xmlns='jabber:iq:privacy'>
<active name='private'/>
<default name='public'/>
<list name='public'/>
<list name='private'/>
<list name='special'/>
</query>
</iq>
]]></example>
<example caption='Client requests a privacy list from server'><![CDATA[
<iq from='romeo@example.net/orchard' type='get' id='getlist2'>
<query xmlns='jabber:iq:privacy'>
<list name='public'/>
</query>
</iq>
]]></example>
<example caption='Server sends a privacy list to client'><![CDATA[
<iq type='result' id='getlist2' to='romeo@example.net/orchard'>
<query xmlns='jabber:iq:privacy'>
<list name='public'>
<item type='jid'
value='tybalt@example.com'
action='deny'
order='1'/>
<item action='allow' order='2'/>
</list>
</query>
</iq>
]]></example>
<example caption='Client requests another privacy list from server'><![CDATA[
<iq from='romeo@example.net/orchard' type='get' id='getlist3'>
<query xmlns='jabber:iq:privacy'>
<list name='private'/>
</query>
</iq>
]]></example>
<example caption='Server sends another privacy list to client'><![CDATA[
<iq type='result' id='getlist3' to='romeo@example.net/orchard'>
<query xmlns='jabber:iq:privacy'>
<list name='private'>
<item type='subscription'
value='both'
action='allow'
order='10'/>
<item action='deny' order='15'/>
</list>
</query>
</iq>
]]></example>
<example caption='Client requests yet another privacy list from server'><![CDATA[
<iq from='romeo@example.net/orchard' type='get' id='getlist4'>
<query xmlns='jabber:iq:privacy'>
<list name='special'/>
</query>
</iq>
]]></example>
<example caption='Server sends yet another privacy list to client'><![CDATA[
<iq type='result' id='getlist4' to='romeo@example.net/orchard'>
<query xmlns='jabber:iq:privacy'>
<list name='special'>
<item type='jid'
value='juliet@example.com'
action='allow'
order='6'/>
<item type='jid'
value='benvolio@example.org'
action='allow'
order='7'/>
<item type='jid'
value='mercutio@example.org'
action='allow'
order='42'/>
<item action='deny' order='666'/>
</list>
</query>
</iq>
]]></example>
<p>In this example, the user has three lists: (1) 'public', which allows communications from everyone except one specific entity (this is the default list); (2) 'private', which allows communications only with contacts who have a bidirectional subscription with the user (this is the active list); and (3) 'special', which allows communications only with three specific entities.</p>
<p>If the user attempts to retrieve a list but a list by that name does not exist, the server MUST return an &lt;item-not-found/&gt; stanza error to the user:</p>
<example caption='Client attempts to retrieve non-existent list'><![CDATA[
<iq to='romeo@example.net/orchard' type='error' id='getlist5'>
<query xmlns='jabber:iq:privacy'>
<list name='The Empty Set'/>
</query>
<error type='cancel'>
<item-not-found
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
</error>
</iq>
]]></example>
<p>The user is allowed to retrieve only one list at a time. If the user attempts to retrieve more than one list in the same request, the server MUST return a &lt;bad request/&gt; stanza error to the user:</p>
<example caption='Client attempts to retrieve more than one list'><![CDATA[
<iq to='romeo@example.net/orchard' type='error' id='getlist6'>
<query xmlns='jabber:iq:privacy'>
<list name='public'/>
<list name='private'/>
<list name='special'/>
</query>
<error type='modify'>
<bad-request
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
</error>
</iq>
]]></example>
</section2>
<section2 topic="Managing Active Lists" anchor="protocol-active">
<p>In order to set or change the active list currently being applied by the server, the user MUST send an IQ stanza of type "set" with a &lt;query/&gt; element qualified by the 'jabber:iq:privacy' namespace that contains an empty &lt;active/&gt; child element possessing a 'name' attribute whose value is set to the desired list name.</p>
<example caption='Client requests change of active list'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='active1'>
<query xmlns='jabber:iq:privacy'>
<active name='special'/>
</query>
</iq>
]]></example>
<p>The server MUST activate and apply the requested list before sending the result back to the client.</p>
<example caption='Server acknowledges success of active list change'><![CDATA[
<iq type='result' id='active1' to='romeo@example.net/orchard'/>
]]></example>
<p>If the user attempts to set an active list but a list by that name does not exist, the server MUST return an &lt;item-not-found/&gt; stanza error to the user:</p>
<example caption='Client attempts to set a non-existent list as active'><![CDATA[
<iq to='romeo@example.net/orchard' type='error' id='active2'>
<query xmlns='jabber:iq:privacy'>
<active name='The Empty Set'/>
</query>
<error type='cancel'>
<item-not-found
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
</error>
</iq>
]]></example>
<p>In order to decline the use of any active list, the connected resource MUST send an empty &lt;active/&gt; element with no 'name' attribute.</p>
<example caption='Client declines the use of active lists'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='active3'>
<query xmlns='jabber:iq:privacy'>
<active/>
</query>
</iq>
]]></example>
<example caption='Server acknowledges success of declining any active list'><![CDATA[
<iq type='result' id='active3' to='romeo@example.net/orchard'/>
]]></example>
</section2>
<section2 topic="Managing the Default List" anchor="protocol-default">
<p>In order to change its default list (which applies to the user as a whole, not only the sending resource), the user MUST send an IQ stanza of type "set" with a &lt;query/&gt; element qualified by the 'jabber:iq:privacy' namespace that contains an empty &lt;default/&gt; child element possessing a 'name' attribute whose value is set to the desired list name.</p>
<example caption='User requests change of default list'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='default1'>
<query xmlns='jabber:iq:privacy'>
<default name='special'/>
</query>
</iq>
]]></example>
<example caption='Server acknowledges success of default list change'><![CDATA[
<iq type='result' id='default1' to='romeo@example.net/orchard'/>
]]></example>
<p>If the user attempts to change which list is the default list but the default list is in use by at least one connected resource other than the sending resource, the server MUST return a &lt;conflict/&gt; stanza error to the sending resource:</p>
<example caption='Client attempts to change the default list but that list is in use by another resource'><![CDATA[
<iq to='romeo@example.net/orchard' type='error' id='default1'>
<query xmlns='jabber:iq:privacy'>
<default name='special'/>
</query>
<error type='cancel'>
<conflict
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
</error>
</iq>
]]></example>
<p>If the user attempts to set a default list but a list by that name does not exist, the server MUST return an &lt;item-not-found/&gt; stanza error to the user:</p>
<example caption='Client attempts to set a non-existent list as default'><![CDATA[
<iq to='romeo@example.net/orchard' type='error' id='default1'>
<query xmlns='jabber:iq:privacy'>
<default name='The Empty Set'/>
</query>
<error type='cancel'>
<item-not-found
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
</error>
</iq>
]]></example>
<p>In order to decline the use of a default list (i.e., to use the domain's stanza routing rules at all times), the user MUST send an empty &lt;default/&gt; element with no 'name' attribute.</p>
<example caption='Client declines the use of the default list'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='default2'>
<query xmlns='jabber:iq:privacy'>
<default/>
</query>
</iq>
]]></example>
<example caption='Server acknowledges success of declining any default list'><![CDATA[
<iq type='result' id='default2' to='romeo@example.net/orchard'/>
]]></example>
<p>If one connected resource attempts to decline the use of a default list for the user as a whole but the default list currently applies to at least one other connected resource, the server MUST return a &lt;conflict/&gt; error to the sending resource:</p>
<example caption='Client attempts to decline a default list but that list is in use by another resource'><![CDATA[
<iq to='romeo@example.net/orchard' type='error' id='default3'>
<query xmlns='jabber:iq:privacy'>
<default/>
</query>
<error type='cancel'>
<conflict
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
</error>
</iq>
]]></example>
</section2>
<section2 topic="Editing a Privacy List" anchor="protocol-edit">
<p>In order to edit a privacy list, the user MUST send an IQ stanza of type "set" with a &lt;query/&gt; element qualified by the 'jabber:iq:privacy' namespace that contains one &lt;list/&gt; child element possessing a 'name' attribute whose value is set to the list name the user would like to edit. The &lt;list/&gt; element MUST contain one or more &lt;item/&gt; elements, which specify the user's desired changes to the list by including all elements in the list (not the "delta").</p>
<example caption='Client edits a privacy list'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='edit1'>
<query xmlns='jabber:iq:privacy'>
<list name='public'>
<item type='jid'
value='tybalt@example.com'
action='deny'
order='3'/>
<item type='jid'
value='paris@example.org'
action='deny'
order='5'/>
<item action='allow' order='68'/>
</list>
</query>
</iq>
]]></example>
<example caption='Server acknowledges success of list edit'><![CDATA[
<iq type='result' id='edit1' to='romeo@example.net/orchard'/>
]]></example>
<p>Note: The value of the 'order' attribute for any given item is not fixed. Thus in the foregoing example if the user would like to add 4 items between the "tybalt@example.com" item and the "paris@example.org" item, the user's client MUST renumber the relevant items before submitting the list to the server.</p>
<p>The server MUST now send a "privacy list push" to all connected resources:</p>
<example caption='Privacy list push on list edit'><![CDATA[
<iq to='romeo@example.net/orchard' type='set' id='push1'>
<query xmlns='jabber:iq:privacy'>
<list name='public'/>
</query>
</iq>
<iq to='romeo@example.net/home' type='set' id='push2'>
<query xmlns='jabber:iq:privacy'>
<list name='public'/>
</query>
</iq>
]]></example>
<p>In accordance with the semantics of IQ stanzas defined in &xmppcore;, each connected resource MUST return an IQ result to the server as well:</p>
<example caption='Acknowledging receipt of privacy list pushes'><![CDATA[
<iq from='romeo@example.net/orchard'
type='result'
id='push1'/>
<iq from='romeo@example.net/home'
type='result'
id='push2'/>
]]></example>
</section2>
<section2 topic="Adding a New Privacy List" anchor="protocol-add">
<p>The same protocol used to edit an existing list is used to create a new list. If the list name matches that of an existing list, the request to add a new list will overwrite the old one. As with list edits, the server MUST also send a "privacy list push" to all connected resources.</p>
</section2>
<section2 topic="Removing a Privacy List" anchor="protocol-remove">
<p>In order to remove a privacy list, the user MUST send an IQ stanza of type "set" with a &lt;query/&gt; element qualified by the 'jabber:iq:privacy' namespace that contains one empty &lt;list/&gt; child element possessing a 'name' attribute whose value is set to the list name the user would like to remove.</p>
<example caption='Client removes a privacy list'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='remove1'>
<query xmlns='jabber:iq:privacy'>
<list name='private'/>
</query>
</iq>
]]></example>
<example caption='Server acknowledges success of list removal'><![CDATA[
<iq type='result' id='remove1' to='romeo@example.net/orchard'/>
]]></example>
<p>If a user attempts to remove a list that is currently being applied to at least one resource other than the sending resource, the server MUST return a &lt;conflict/&gt; stanza error to the user; i.e., the user MUST first set another list to active or default before attempting to remove it. If the user attempts to remove a list but a list by that name does not exist, the server MUST return an &lt;item-not-found/&gt; stanza error to the user. If the user attempts to remove more than one list in the same request, the server MUST return a &lt;bad request/&gt; stanza error to the user.</p>
</section2>
<section2 topic="Blocking Messages" anchor="protocol-message">
<p>Server-side privacy lists enable a user to block incoming messages from other entities based on the entity's JID, roster group, or subscription status (or globally). The following examples illustrate the protocol. (Note: For the sake of brevity, IQ stanzas of type "result" are not shown in the following examples, nor are "privacy list pushes".)</p>
<example caption='User blocks based on JID'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='msg1'>
<query xmlns='jabber:iq:privacy'>
<list name='message-jid-example'>
<item type='jid'
value='tybalt@example.com'
action='deny'
order='3'>
<message/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive messages from the entity with the specified JID.</p>
<example caption='User blocks based on roster group'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='msg2'>
<query xmlns='jabber:iq:privacy'>
<list name='message-group-example'>
<item type='group'
value='Enemies'
action='deny'
order='4'>
<message/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive messages from any entities in the specified roster group.</p>
<example caption='User blocks based on subscription type'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='msg3'>
<query xmlns='jabber:iq:privacy'>
<list name='message-sub-example'>
<item type='subscription'
value='none'
action='deny'
order='5'>
<message/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive messages from any entities with the specified subscription type.</p>
<example caption='User blocks globally'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='msg4'>
<query xmlns='jabber:iq:privacy'>
<list name='message-global-example'>
<item action='deny' order='6'>
<message/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive messages from any other users.</p>
</section2>
<section2 topic="Blocking Inbound Presence Notifications" anchor="protocol-presencein">
<p>Server-side privacy lists enable a user to block incoming presence notifications from other entities based on the entity's JID, roster group, or subscription status (or globally). The following examples illustrate the protocol.</p>
<p>Note: Presence notifications do not include presence subscriptions, only presence information that is broadcasted to the user because the user is currently subscribed to a contact's presence information. Thus this includes presence stanzas with no 'type' attribute or of type='unavailable' only.</p>
<example caption='User blocks based on JID'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='presin1'>
<query xmlns='jabber:iq:privacy'>
<list name='presin-jid-example'>
<item type='jid'
value='tybalt@example.com'
action='deny'
order='7'>
<presence-in/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive presence notifications from the entity with the specified JID.</p>
<example caption='User blocks based on roster group'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='presin2'>
<query xmlns='jabber:iq:privacy'>
<list name='presin-group-example'>
<item type='group'
value='Enemies'
action='deny'
order='8'>
<presence-in/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive presence notifications from any entities in the specified roster group.</p>
<example caption='User blocks based on subscription type'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='presin3'>
<query xmlns='jabber:iq:privacy'>
<list name='presin-sub-example'>
<item type='subscription'
value='to'
action='deny'
order='9'>
<presence-in/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive presence notifications from any entities with the specified subscription type.</p>
<example caption='User blocks globally'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='presin4'>
<query xmlns='jabber:iq:privacy'>
<list name='presin-global-example'>
<item action='deny' order='11'>
<presence-in/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive presence notifications from any other users.</p>
<p>Note: If a client blocks incoming presence notifications from an entity that has been available before, the user's server SHOULD send unavailable presence to the user on behalf of that contact.</p>
</section2>
<section2 topic="Blocking Outbound Presence Notifications" anchor="protocol-presenceout">
<p>Server-side privacy lists enable a user to block outgoing presence notifications to other entities based on the entity's JID, roster group, or subscription status (or globally). The following examples illustrate the protocol.</p>
<p>Note: Presence notifications do not include presence subscriptions, only presence information that is broadcasted to contacts because those contacts are currently subscribed to the user's presence information. Thus this includes presence stanzas with no 'type' attribute or of type='unavailable' only.</p>
<example caption='User blocks based on JID'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='presout1'>
<query xmlns='jabber:iq:privacy'>
<list name='presout-jid-example'>
<item type='jid'
value='tybalt@example.com'
action='deny'
order='13'>
<presence-out/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not send presence notifications to the entity with the specified JID.</p>
<example caption='User blocks based on roster group'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='presout2'>
<query xmlns='jabber:iq:privacy'>
<list name='presout-group-example'>
<item type='group'
value='Enemies'
action='deny'
order='15'>
<presence-out/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not send presence notifications to any entities in the specified roster group.</p>
<example caption='User blocks based on subscription type'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='presout3'>
<query xmlns='jabber:iq:privacy'>
<list name='presout-sub-example'>
<item type='subscription'
value='from'
action='deny'
order='17'>
<presence-out/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not send presence notifications to any entities with the specified subscription type.</p>
<example caption='User blocks globally'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='presout4'>
<query xmlns='jabber:iq:privacy'>
<list name='presout-global-example'>
<item action='deny' order='23'>
<presence-out/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not send presence notifications to any other users.</p>
<p>Note: When a user blocks outbound presence to a contact, the user's server MUST send unavailable presence information to the contact (but only if the contact is allowed to receive presence notifications from the user in accordance with the rules defined in <cite>RFC 6121</cite>).</p>
</section2>
<section2 topic="Blocking IQ Stanzas" anchor="protocol-iq">
<p>Server-side privacy lists enable a user to block incoming IQ stanzas from other entities based on the entity's JID, roster group, or subscription status (or globally). The following examples illustrate the protocol.</p>
<example caption='User blocks based on JID'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='iq1'>
<query xmlns='jabber:iq:privacy'>
<list name='iq-jid-example'>
<item type='jid'
value='tybalt@example.com'
action='deny'
order='29'>
<iq/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive IQ stanzas from the entity with the specified JID.</p>
<example caption='User blocks based on roster group'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='iq2'>
<query xmlns='jabber:iq:privacy'>
<list name='iq-group-example'>
<item type='group'
value='Enemies'
action='deny'
order='31'>
<iq/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive IQ stanzas from any entities in the specified roster group.</p>
<example caption='User blocks based on subscription type'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='iq3'>
<query xmlns='jabber:iq:privacy'>
<list name='iq-sub-example'>
<item type='subscription'
value='none'
action='deny'
order='17'>
<iq/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive IQ stanzas from any entities with the specified subscription type.</p>
<example caption='User blocks globally'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='iq4'>
<query xmlns='jabber:iq:privacy'>
<list name='iq-global-example'>
<item action='deny' order='1'>
<iq/>
</item>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive IQ stanzas from any other users.</p>
</section2>
<section2 topic="Blocking All Communication" anchor="protocol-all">
<p>Server-side privacy lists enable a user to block all stanzas from and to other entities based on the entity's JID, roster group, or subscription status (or globally). Note that this includes subscription-related presence stanzas, which are excluded by <link url="#protocol-presencein">Blocking Inbound Presence Notifications</link>. The following examples illustrate the protocol.</p>
<example caption='User blocks based on JID'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='all1'>
<query xmlns='jabber:iq:privacy'>
<list name='all-jid-example'>
<item type='jid'
value='tybalt@example.com'
action='deny'
order='23'/>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive any communications from, nor send any stanzas to, the entity with the specified JID.</p>
<example caption='User blocks based on roster group'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='all2'>
<query xmlns='jabber:iq:privacy'>
<list name='all-group-example'>
<item type='group'
value='Enemies'
action='deny'
order='13'/>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive any communications from, nor send any stanzas to, any entities in the specified roster group.</p>
<example caption='User blocks based on subscription type'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='all3'>
<query xmlns='jabber:iq:privacy'>
<list name='all-sub-example'>
<item type='subscription'
value='none'
action='deny'
order='11'/>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive any communications from, nor send any stanzas to, any entities with the specified subscription type.</p>
<example caption='User blocks globally'><![CDATA[
<iq from='romeo@example.net/orchard' type='set' id='all4'>
<query xmlns='jabber:iq:privacy'>
<list name='all-global-example'>
<item action='deny' order='7'/>
</list>
</query>
</iq>
]]></example>
<p>As a result of creating and applying the foregoing list, the user will not receive any communications from, nor send any stanzas to, any other users.</p>
</section2>
<section2 topic="Blocked Entity Attempts to Communicate with User" anchor="protocol-error">
<p>If a blocked entity attempts to send a stanza to the user (i.e., an inbound stanza from the user's perspective), the user's server shall handle the stanza according to the following rules:</p>
<ul>
<li>For presence stanzas (including notifications, subscriptions, and probes), the server MUST NOT respond and MUST NOT return an error.</li>
<li>For message stanzas, the server SHOULD return an error, which SHOULD be &unavailable;. <note>Until version 1.5 of this document (therefore also in <cite>RFC 6121</cite>), it was recommended to silently ignore message stanzas, which unfortunately resulted in a delivery "black hole" regarding message stanzas.</note></li>
<li>For IQ stanzas of type "get" or "set", the server MUST return an error, which SHOULD be &unavailable;. IQ stanzas of other types MUST be silently dropped by the server.</li>
</ul>
<p>If the foregoing suggestions are followed, the user will appear offline to the contact.</p>
<example caption='Blocked entity attempts to send IQ get'><![CDATA[
<iq type='get'
to='romeo@example.net'
from='tybalt@example.com/pda'
id='probing1'>
<query xmlns='jabber:iq:version'/>
</iq>
]]></example>
<example caption='Server returns error to blocked entity'><![CDATA[
<iq type='error'
from='romeo@example.net'
to='tybalt@example.com/pda'
id='probing1'>
<query xmlns='jabber:iq:version'/>
<error type='cancel'>
<service-unavailable
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
</error>
</iq>
]]></example>
<p>If the user attempts to send an outbound stanza to a contact and that stanza type is blocked, the user's server MUST NOT route the stanza to the contact but instead MUST return a &notacceptable; error:</p>
<example caption='Error: contact is blocked'><![CDATA[
<message type='error' from='romeo@montague.net' to='juliet@capulet.com'>
<body>Can you hear me now?</body>
<error type='cancel'>
<not-acceptable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
</error>
</message>
]]></example>
</section2>
<section2 topic="Higher-Level Heuristics" anchor="protocol-heuristics">
<p>When building a representation of a higher-level privacy heuristic, a client SHOULD use the simplest possible representation.</p>
<p>For example, the heuristic "block all communications with any user not in my roster" could be constructed in any of the following ways:</p>
<ul>
<li>allow communications from all JIDs in my roster (i.e., listing each JID as a separate list item), but block communications with everyone else</li>
<li>allow communications from any user who is in one of the groups that make up my roster (i.e., listing each group as a separate list item), but block communications from everyone else</li>
<li>allow communications from any user with whom I have a subscription of 'both' or 'to' or 'from' (i.e., listing each subscription value separately), but block communications from everyone else</li>
<li>block communications from anyone whose subscription state is 'none'</li>
</ul>
<p>The final representation is the simplest and SHOULD be used; here is the XML that would be sent in this case:</p>
<code><![CDATA[
<iq type='set' id='heuristic1'>
<query xmlns='jabber:iq:privacy'>
<list name='heuristic-example'>
<item type='subscription'
value='none'
action='deny'
order='437'/>
</list>
</query>
</iq>
]]></code>
</section2>
</section1>
<section1 topic='Discovering Support' anchor='disco'>
<p>If an entity supports the privacy lists protocol, it MUST report that fact by including a service discovery feature of "jabber:iq:privacy" &NSNOTE; in response to a &xep0030; information request:</p>
<example caption="Service Discovery information request"><![CDATA[
<iq from='juliet@example.com/chamber'
id='disco1'
to='example.com'
type='get'>
<query xmlns='http://jabber.org/protocol/disco#info'/>
</iq>
]]></example>
<example caption="Service Discovery information response"><![CDATA[
<iq from='example.com'
id='disco1'
to='juliet@example.com/chamber'
type='result'>
<query xmlns='http://jabber.org/protocol/disco#info'>
...
<feature var='jabber:iq:privacy'/>
...
</query>
</iq>
]]></example>
</section1>
<section1 topic='Implementation Notes' anchor='impl'>
<p>When a server receives a block command from a user, it MAY cancel any existing presence subscriptions between the user and the blocked user and MAY send a message to the blocked user; however, it is RECOMMENDED to deploy so-called "polite blocking" instead (i.e., to not cancel the presence subscriptions or send a notification). Which approach to follow is a matter of local service policy.</p>
<p>A service MAY also filter blocking users out of searches performed on user directories (see, for example, &xep0055;); however, that functionality is out of scope for this specification.</p>
</section1>
<section1 topic='Security Considerations' anchor='security'>
<p>If properly implemented, this protocol extension does not introduce any new security concerns above and beyond those defined in <cite>RFC 6120</cite> and <cite>RFC 6121</cite>.</p>
</section1>
<section1 topic='IANA Considerations' anchor='iana'>
<p>No interaction with &IANA; is required as a result of this specification.</p>
</section1>
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
<section2 topic='Protocol Namespaces' anchor='registrar-ns'>
<p>The &REGISTRAR; already includes 'jabber:iq:privacy' in its registry of protocol namespaces (see &NAMESPACES;).</p>
</section2>
</section1>
<section1 topic="XML Schema" anchor="schema">
<code><![CDATA[
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='jabber:iq:privacy'
xmlns='jabber:iq:privacy'
elementFormDefault='qualified'>
<xs:annotation>
<xs:documentation>
The protocol documented by this schema is defined in
XEP-0016: http://www.xmpp.org/extensions/xep-0016.html
</xs:documentation>
</xs:annotation>
<xs:element name='query'>
<xs:complexType>
<xs:sequence>
<xs:element ref='active'
minOccurs='0'/>
<xs:element ref='default'
minOccurs='0'/>
<xs:element ref='list'
minOccurs='0'
maxOccurs='unbounded'/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name='active'>
<xs:complexType>
<xs:simpleContent>
<xs:extension base='xs:NMTOKEN'>
<xs:attribute name='name'
type='xs:string'
use='optional'/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name='default'>
<xs:complexType>
<xs:simpleContent>
<xs:extension base='xs:NMTOKEN'>
<xs:attribute name='name'
type='xs:string'
use='optional'/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name='list'>
<xs:complexType>
<xs:sequence>
<xs:element ref='item'
minOccurs='0'
maxOccurs='unbounded'/>
</xs:sequence>
<xs:attribute name='name'
type='xs:string'
use='required'/>
</xs:complexType>
</xs:element>
<xs:element name='item'>
<xs:complexType>
<xs:sequence>
<xs:element name='iq'
minOccurs='0'
type='empty'/>
<xs:element name='message'
minOccurs='0'
type='empty'/>
<xs:element name='presence-in'
minOccurs='0'
type='empty'/>
<xs:element name='presence-out'
minOccurs='0'
type='empty'/>
</xs:sequence>
<xs:attribute name='action' use='required'>
<xs:simpleType>
<xs:restriction base='xs:NCName'>
<xs:enumeration value='allow'/>
<xs:enumeration value='deny'/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name='order'
type='xs:unsignedInt'
use='required'/>
<xs:attribute name='type' use='optional'>
<xs:simpleType>
<xs:restriction base='xs:NCName'>
<xs:enumeration value='group'/>
<xs:enumeration value='jid'/>
<xs:enumeration value='subscription'/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name='value'
type='xs:string'
use='optional'/>
</xs:complexType>
</xs:element>
<xs:simpleType name='empty'>
<xs:restriction base='xs:string'>
<xs:enumeration value=''/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
]]></code>
</section1>
<section1 topic='Author Note' anchor='authornote'>
<p>Peter Millard, the author of this specification from version 0.1 through version 0.3, died on April 26, 2006.</p>
</section1>
</xep>