Thanks for taking the time to reply.
Ideally, client-side validation on top of Y.js only permits valid transactions. Assuming only malicious clients circumvent client-side validation, it will be OK if their client behavior will be impaired.
I’m using yrs – the Rust port – and the public API there is currently too limited to dig deeper.
Anyway, I’m surprised that this lack of validation is not an issue for more users.
As an example a malicious user could spam a ydoc with hidden data, e.g.
doc.transact(() => { doc.getText("hidden-data").insert(0, <incompressible garbage>)})
which would make all updates and future syncs larger, possibly escalating to a denial of service, if I understand correctly. A middleware or just some filtering function would be able to prevent the distribution of such updates.