RFC-2397 URLs in Attachment Fields

[drcrallen]

The following is a xAPI json blob that validates just fine in https://lrs.adlnet.gov/statementvalidator .

{
    "actor": {
        "account": {
            "homePage": "https://some.site.com",
            "name": "7565a82f-28cf-40f5-9c77-3385b66f2fe6"
        },
        "objectType": "Agent"
    },
    "attachments": [
        {
            "contentType": "text/plain;charset=utf-8",
            "description": {
                "en-US": "The dialog of the conversation"
            },
            "display": {
                "en-US": "Dialog"
            },
            "fileUrl": "data:text/plain;charset=utf-8;base64,CiNQIzogV2hhdCdzIHVwLCBteSBmcmllbmQ/IEhvdydzIGl0IGdvaW5nPwojQSM6IEhleSB0aGVyZSEgVGhpbmdzIGFyZSBnb2luZyBncmVhdCBvbiBteSBlbmQuIEhvdyBhYm91dCB5b3U/",
            "length": 108,
            "sha2": "3a93e01587188069c0ac766114159a1e2e4d669c1cf8739ebeae646b15f51a9d",
            "usageType": "http://id.tincanapi.com/attachment/supporting_media"
        }
    ],
    "authority": {
        "account": {
            "homePage": "https://some.site.com",
            "name": "evaluations@some.site.com"
        },
        "objectType": "Agent"
    },
    "context": {
        "registration": "7565a82f-28cf-40f5-9c77-3385b66f2fe6",
        "revision": "2023-12-13T02:05:35.025Z"
    },
    "id": "05b7935b-de5f-4ae5-9d6d-37441fea71a5",
    "object": {
        "definition": {
            "description": {
                "en-US": "Some kind of description with a kind of long text."
            },
            "extensions": {},
            "name": {
                "en-US": "Introduction"
            },
            "type": "http://adlnet.gov/expapi/activities/simulation"
        },
        "id": "https://some.site.com/workshops/5fafc6e9-a703-438c-bf7f-ccebd0d6a43f",
        "objectType": "Activity"
    },
    "result": {
        "completion": true,
        "duration": "PT18S",
        "score": {
            "scaled": 0.2
        }
    },
    "timestamp": "2023-12-14T04:01:14.315Z",
    "verb": {
        "display": {
            "en-US": "scored"
        },
        "id": "http://adlnet.gov/expapi/verbs/scored"
    },
    "version": "1.0.0"
}

This is specifically of note because you can put full documents in the IRL attachment field. The following javascript code will parse the field in a way that is expected, and makes it indistinguishable for most systems that blindly pass through the fileUrl value into a javascript Fetch statement.

crazyUrl="data:text/plain;charset=utf-8;base64,CiNQIzogV2hhdCdzIHVwLCBteSBmcmllbmQ/IEhvdydzIGl0IGdvaW5nPwojQSM6IEhleSB0aGVyZSEgVGhpbmdzIGFyZSBnb2luZyBncmVhdCBvbiBteSBlbmQuIEhvdyBhYm91dCB5b3U/";
fetch(crazyUrl).then((response) =>response.blob()).then((blob) => blob.text()).then((value) => console.log(value));

import datauri
crazyUrl="data:text/plain;charset=utf-8;base64,CiNQIzogV2hhdCdzIHVwLCBteSBmcmllbmQ/IEhvdydzIGl0IGdvaW5nPwojQSM6IEhleSB0aGVyZSEgVGhpbmdzIGFyZSBnb2luZyBncmVhdCBvbiBteSBlbmQuIEhvdyBhYm91dCB5b3U/"
d = datauri.parse(crazyUrl)
print(d.data.decode('utf-8'))

You can even run the above in your debugging tools. What I cannot really tell is if this actually violates the spec. "data" is a valid scheme and works transparently in javascript, and with some minor special handling in python as long as the library is setup to parse the standard. Is it a violation of the spec to include a RFC-2397 compliant blob of data in the Attachment's fileUrl field?

If not that seems like a way to accidentally blow up storage expectations on servers recording the xapi entries.

[thomasturrell]

You raise an interesting point. The spec does not prevent an LRS from rejecting statements that it considers too large.

From the spec:

None of these requirements contradict the idea that the LRS is also allowed to be configurable to reject requests and respond or behave differently on the basis of conditions that are out of scope this specification.

It might be worth reading issue #1088 the response from @brianjmiller is particularly useful.