-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC2499: Fixes for Well-known URIs #2499
base: main
Are you sure you want to change the base?
Conversation
78d3a47
to
9270c4c
Compare
Signed-off-by: Aaron Raimist <[email protected]>
9270c4c
to
2f19796
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally ok except one small addition, please.
changed from `FAIL_PROMPT` to `IGNORE` so that a non 200 response is treated in the same | ||
way as 404. This change is intended to fix issues like https://github.com/vector-im/riot-web/issues/7875. | ||
|
||
This change does have potential security concerns, see https://github.com/vector-im/riot-web/issues/11136. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In relation to this issue, I think it's worth clarifying in the spec that as long as a fully qualified MXID is supplied and the .well-known lookup fails for whatever reason, the client MUST NOT use whichever default server it might have. IGNORE
description in the spec isn't quite clear on that; actually, it almost encourages the behaviour described in the issue by saying that the client can use "default values" to fill in required parameters.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You know what, actually reading the spec again maybe FAIL_PROMPT is the correct thing to do but Riot just isn't doing that. Riot is doing something closer to a FAIL_ERROR, rather than a FAIL_PROMPT. I'm thinking IGNORE should just be removed from the spec completely and 3a and 3b should be a FAIL_PROMPT.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wouldn't be so harsh on IGNORE - it allows the user to go without an unneeded roadbump in 3a in case the client managed to get the clear message from the server that there's no .well-known support here. The IGNORE description is too affording though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah it would be nice if there was no extra step but if using defaults values is removed from IGNORE then how will the client find out the server URL? The only way is to prompt the user unless I am missing something. So it would be the same as FAIL_PROMPT.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably the spec should be clear about the scope of cases for auto-discovery. Specifically, if the user entered a fully qualified MXID, only then auto-discovery kicks in. Using the default value in a situation when the serverpart is already provided but the server happens to have .well-known not quite ideally configured (i.e. step 3b) is definitely the wrong way out. Asking the user to confirm that the server is correct because auto-discovery fell short is the right way but both IGNORE and FAIL_PROMPT speak about that anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FAIL_PROMPT
is probably still correct, I think. Element (then Riot) likely has a bug in this area, though its UX doesn't really lend itself to "prompting" the user. It should probably offer the ability to continue anyways, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I'll take this out.
Signed-off-by: Aaron Raimist <[email protected]>
changed from `FAIL_PROMPT` to `IGNORE` so that a non 200 response is treated in the same | ||
way as 404. This change is intended to fix issues like https://github.com/vector-im/riot-web/issues/7875. | ||
|
||
This change does have potential security concerns, see https://github.com/vector-im/riot-web/issues/11136. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FAIL_PROMPT
is probably still correct, I think. Element (then Riot) likely has a bug in this area, though its UX doesn't really lend itself to "prompting" the user. It should probably offer the ability to continue anyways, though.
1. The maximum size of size of the well-known file is 51200 bytes. A client or server | ||
requesting a well-known file MUST abort and FAIL_PROMPT if the response exceeds 51200 bytes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't a super realistic thing that can be applied by clients: if the server admin has configured the server so badly that a 10gb JSON file is being served then so be it. It's just not in the server admin's interest to attack bandwidth in this way given the costs they would be incurring from their ISP/service provider.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At least for native clients (and servers) it's fairly easy to abort on 51201st byte but FAIL_PROMPT
looks a bit dubious here: should the client re-request .well-known or rather just continue (rather than abort) receiving the payload after confirming with the user? And yes, generally there's no incentive to attack in that way of course; but a recommendation to protect receiving sides from such misconfigurations wouldn't hurt, would it? Maybe not as MUST but as SHOULD.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not convinced that this endpoint specifically needs this recommendation though: surely we should be applying this to all endpoints like profiles, sync, etc...
It feels like another MSC's problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's fine, I can leave it to another MSC. The main reason for including it here is because Synapse has already implemented this limit for the server well-known so a well-known bigger than that already isn't going to work with most servers. If it was specced then at least people could expect there is some reasonable limit on the size.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would be a bit surprised if people expected 1mb json files to work for this use case, honestly. I think it's reasonable for clients/servers to impose their own limits, and iirc Synapse only really limited the JSON file size on server-server because federation has tiny timeouts (typically), so read delays are not ideal.
Signed-off-by: Aaron Raimist <[email protected]>
Co-authored-by: Travis Ralston <[email protected]>
Signed-off-by: Aaron Raimist <[email protected]>
Signed-off-by: Aaron Raimist <[email protected]>
Co-authored-by: Vladimir Panteleev <[email protected]>
Rendered
Intended to address:
https://github.com/matrix-org/matrix-doc/issues/1919
https://github.com/matrix-org/matrix-doc/issues/1896
https://github.com/matrix-org/matrix-doc/issues/2335
If there are any other issues with the client well-known that I've missed let me know so there doesn't need to be a followup MSC.