From 78d3a47e37c86f5843a56c33e3a792113ad235f1 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 13 Apr 2020 18:50:53 -0500 Subject: [PATCH] Create MSC with fixes for client well-known Signed-off-by: Aaron Raimist --- proposals/xxxx-client-well-known-fixes.md | 35 +++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 proposals/xxxx-client-well-known-fixes.md diff --git a/proposals/xxxx-client-well-known-fixes.md b/proposals/xxxx-client-well-known-fixes.md new file mode 100644 index 00000000000..5ddbfb319c0 --- /dev/null +++ b/proposals/xxxx-client-well-known-fixes.md @@ -0,0 +1,35 @@ +# MSCXXXX: Fixes for Client Well-known URI + +Several minor issues and inconsistencies have cropped up since the `/.well-known/matrix/client` +method was added to allow clients to discover servers. This proposal intends to fix these issues. + +## Proposal + +The following changes should be made to the client server spec: + +1. The spec does not mention that redirects should be followed. The spec should be changed to +state that when a client is looking up the well-known URI, it should follow HTTP 3xx redirects +up to 30 times. This is consistent with the redirects followed when a server resolves a +server name using `/.well-known/matrix/server`. + +1. Currently the spec does not mention which Content-Type should be used for the response to +`/.well-known/matrix/client`. The Content-Type SHOULD be `application/json` however it +should be assumed to be JSON regardless of type. This is consistent with the Server-Server API. + +1. When a client is following the flow described in the spec for looking up `/.well-known/matrix/client`, +the spec currently states, in part: + + > 3․ Make a GET request to https://hostname/.well-known/matrix/client.
+ >> a․ If the returned status code is 404, then `IGNORE`.
+ >> b․ If the returned status code is not 200, or the response body is empty, then `FAIL_PROMPT`. + + In practice most web servers do not add CORS headers on 404 errors by default. Therefore + web based clients cannot always determine if the status code is 404. Step 3b should be + changed from `FAIL_PROMPT` to `IGNORE` so that a non 200 response is treated in the same + way as 404. This change is intended to fix issues like https://github.com/vector-im/riot-web/issues/7875. + + This change does have potential security concerns, see https://github.com/vector-im/riot-web/issues/11136. + +1. Step 3f in the flow should be changed to use the modern `/_matrix/identity/v2` API to +validate the identity server rather than the deprecated `/_matrix/identity/api/v1`. Clients +should fall back to the v1 API as described in the identity service spec.