7. Security Considerations
Several of the new properties or parameters defined by this specification allow reference to "external" URIs. Care MUST be taken when accessing data at external URIs as malicious content could be present. Clients SHOULD ensure that suitable permission is granted by calendar users before such URIs are dereferenced.
The "REFRESH-INTERVAL" property could be used by an attacker to make a client carry out rapid requests to the server hosting the calendar by specifying a very short duration (e.g., one second). This could lead to resource consumption on the client or server and to denial- of-service attacks against the server. Clients MUST ensure that they throttle requests to the server to a reasonable rate. In most cases, updating a public calendar once per day would suffice. If the "REFRESH-INTERVAL" is any less than that, clients SHOULD warn the calendar user and allow them to override it with a longer value.
The "CONFERENCE" property can include a "FEATURE" property parameter with a "MODERATOR" value. In some cases, the access code used by the owner/initiator of a conference might be private to an individual, and clients and servers MUST ensure that such properties are not sent to attendees of a scheduled component.
Both the "COLOR" and "IMAGE" properties are likely to be used by calendar users to express their own personal view of the calendar data. In addition, these properties could be used by attackers to produce a confusing display in a calendar user agent. When such properties are encountered in calendar data that has come from other calendar users (e.g., via a scheduling message, "public" calendar subscription, etc.), it is advisable for the client to give the receiving calendar user the option to remove (or adjust) these properties as the data is imported into their calendar system.
This specification changes the recommendations on how "UID" property values are constructed to minimize leaking any information that might be security sensitive.
Security considerations in [RFC5545] and [RFC5546] MUST also be adhered to.
This document was automatically converted to XHTML using an RFC to HTML converter with the original text document at the Internet Engineering Task Force web site at ietf.org . The original text document should be referred to if there are any errors or discrepancies found in this document.
Need to test your iCalendar feeds? The iCalendar Validator provides developers and testers a method to validate their iCalendar feeds, which can take data from either a URL, file or text snippet and compare it against the RFC 5545 specification. We believe we have one of the best iCalendar validation tools available on the internet. More information about the validator can be found here.