-
-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify Content-Type
and Content-Disposition
usage in the media repo
#1935
Conversation
Co-authored-by: Travis Ralston <[email protected]> Signed-off-by: Kévin Commaille <[email protected]>
Signed-off-by: Kévin Commaille <[email protected]>
Signed-off-by: Kévin Commaille <[email protected]>
Signed-off-by: Kévin Commaille <[email protected]>
I am not sure how to write up #1758 (comment) as I don't know where it's explained why it is safe. |
My understanding on that topic is:
|
edit: I wrote this and submitted it before seeing tulir's comment. We're saying effectively the same thing, and their explanation is clearer
I don't know of a place where it's written down yet, but have had this conversation on matrix several times with different people. I believe the reason it's safe is that it should not be possible for a file with a When I've seem claims that it is not safe, usually these are thinking about a case where a malicious client uploads a XSS-triggering file and then sets the incorrect The thing that is actually unsafe is mixing and matching between the user-provided |
This PR doesn't change the |
The reason that I didn't change it is because the description is vague and says:
I took that as "use the same rules for those headers as the CS API", but maybe it needs to be spelled out. In any case the SS endpoint should return the filename in |
I'd definitely be in favor of either explicitly stating that the requirements are the same as the CS API or explicitly stating that they are not. If the filename is the only thing that matters the spec should state that so that implementers aren't guessing whether the vaugeness was a mistake. |
Signed-off-by: Kévin Commaille <[email protected]>
Thanks to the both of you, I whipped-up a paragraph based on your explications. |
Supersedes #1758.
As per MSC2701 and MSC2702.
Pull Request Checklist
Preview: https://pr1935--matrix-spec-previews.netlify.app